Edit tour

Windows Analysis Report
Aura.exe

Overview

General Information

Sample name:	Aura.exe
Analysis ID:	1581514
MD5:	fd5fba5d5bef2952443b96241ffa5814
SHA1:	c6613e363bec49bdf5eb98ccf0f4ee85615cad29
SHA256:	08205d107a6b14818a12e3c8e30c3c7c3300e439359dfc0c99ed026815deca41
Tags:	exeLummaStealersigneduser-ventoy
Infos:

Detection

LummaC

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Aura.exe (PID: 6788 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: FD5FBA5D5BEF2952443B96241FFA5814)

conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Aura.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: FD5FBA5D5BEF2952443B96241FFA5814)

Aura.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: FD5FBA5D5BEF2952443B96241FFA5814)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["inherineau.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "hummskitnj.buzz", "prisonyfork.buzz", "scentniej.buzz", "cashfuzysao.buzz", "rebuildeso.buzz", "mindhandru.buzz"], "Build id": "BVnUqo--@hitok4111"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:44:06.239448+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	23.55.153.106	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T23:44:07.090017+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://hummskitnj.buzz:443/api

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["inherineau.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "hummskitnj.buzz", "prisonyfork.buzz", "scentniej.buzz", "cashfuzysao.buzz", "rebuildeso.buzz", "mindhandru.buzz"], "Build id": "BVnUqo--@hitok4111"}

Machine Learning detection for sample

Source: Aura.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: mindhandru.buzz
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: BVnUqo--@hitok4111

Source: Aura.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00911FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00911FE9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00911FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00911FE9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00911F38 FindFirstFileExW,	2_2_00911F38

Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_0040B11D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	3_2_0043D929
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	3_2_0043D357
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_0041C051
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then lea ebx, dword ptr [eax+eax]	3_2_0041C051
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042D05A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041F0E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_0043F080
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00435880
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042D0AE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi]	3_2_0043B910
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004221E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004221E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_004269E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	3_2_0043E1F4
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+0Ah]	3_2_0041C980
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-67h]	3_2_00425986
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0041B18C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 4B1BF3DAh	3_2_0041499B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi]	3_2_0041499B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0827F28Dh	3_2_0041499B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ecx+esi*8], 37A3DD63h	3_2_0041499B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00429241
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], DA026237h	3_2_00423257
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042AAE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh	3_2_00438AE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+6ED1A348h]	3_2_004382F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp byte ptr [eax+edi+09h], 00000000h	3_2_004382F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edx], bl	3_2_004092A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_004092A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edx, ecx	3_2_0042B3C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3A8FE122h]	3_2_00419BE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00419BE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 11A82DE9h	3_2_00419BE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	3_2_00428BFE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	3_2_00439459
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov eax, edx	3_2_0040C404
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000001F0h]	3_2_00415C3B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 344CE4E0h	3_2_00415C3B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00429241
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [ebp+esi-2Ch]	3_2_0043DCE7
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	3_2_00424C80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042A4B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00422540
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042CD4D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [edi], ax	3_2_0040C551
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407500
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edx, ecx	3_2_00438D10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 6E87DD67h	3_2_00438D10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], 31E2A9F4h	3_2_00438D10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then test eax, eax	3_2_00438D10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp edx, esi	3_2_00438D10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_0041B5DD
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_0041D5EC
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, bx	3_2_0042459E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp cl, 0000002Eh	3_2_00426E50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_00426E50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C62D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [esi], ax	3_2_0041D603
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C62F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042DE30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1Eh]	3_2_004096A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edi, ecx	3_2_0041BF5D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000001F0h]	3_2_00415729
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000001F0h]	3_2_00415729
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 344CE4E0h	3_2_00415729

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49733 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: mindhandru.buzz

Source: Joe Sandbox View

IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 23.55.153.106:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=53ecd6dd4a2e46ed5fcc15e1; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 22:44:06 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: mindhandru.buzz
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz
Source: global traffic	DNS traffic detected: DNS query: rebuildeso.buzz
Source: global traffic	DNS traffic detected: DNS query: scentniej.buzz
Source: global traffic	DNS traffic detected: DNS query: inherineau.buzz
Source: global traffic	DNS traffic detected: DNS query: screwamusresz.buzz
Source: global traffic	DNS traffic detected: DNS query: appliacnesot.buzz
Source: global traffic	DNS traffic detected: DNS query: cashfuzysao.buzz
Source: global traffic	DNS traffic detected: DNS query: hummskitnj.buzz
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Aura.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Aura.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Aura.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aura.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Aura.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Aura.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Aura.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Aura.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Aura.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Aura.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Aura.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Aura.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Aura.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Aura.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fast
Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hummskitnj.buzz:443/api
Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900$
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shopD
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Aura.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_00432C00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00432C00

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_00432C00 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00432C00

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_008F1000	0_2_008F1000
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_008FF555	0_2_008FF555
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00917792	0_2_00917792
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00909CC0	0_2_00909CC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00915C5E	0_2_00915C5E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00903FB2	0_2_00903FB2
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_008F1000	2_2_008F1000
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_008FF555	2_2_008FF555
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00917792	2_2_00917792
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00909CC0	2_2_00909CC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00915C5E	2_2_00915C5E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00903FB2	2_2_00903FB2
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040B11D	3_2_0040B11D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00408680	3_2_00408680
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041C051	3_2_0041C051
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042F856	3_2_0042F856
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00438000	3_2_00438000
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004038C0	3_2_004038C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004058D0	3_2_004058D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004260E0	3_2_004260E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00428882	3_2_00428882
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041E080	3_2_0041E080
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004120A0	3_2_004120A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004210B0	3_2_004210B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042C8BC	3_2_0042C8BC
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042BF5D	3_2_0042BF5D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00418968	3_2_00418968
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043E970	3_2_0043E970
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043B910	3_2_0043B910
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004471CB	3_2_004471CB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004269E0	3_2_004269E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040E1FA	3_2_0040E1FA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041C980	3_2_0041C980
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041499B	3_2_0041499B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004089A0	3_2_004089A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041D9A0	3_2_0041D9A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043F1A0	3_2_0043F1A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004219B0	3_2_004219B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00429241	3_2_00429241
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00432A40	3_2_00432A40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040AA50	3_2_0040AA50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00423257	3_2_00423257
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00404270	3_2_00404270
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00424200	3_2_00424200
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043EA20	3_2_0043EA20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00415230	3_2_00415230
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004382F0	3_2_004382F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00406290	3_2_00406290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004092A0	3_2_004092A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042D2B3	3_2_0042D2B3
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043EAB0	3_2_0043EAB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042DB4C	3_2_0042DB4C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00402B20	3_2_00402B20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043FB30	3_2_0043FB30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00419BE0	3_2_00419BE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00429BE1	3_2_00429BE1
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040FB82	3_2_0040FB82
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00404BA0	3_2_00404BA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041E3A0	3_2_0041E3A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00439459	3_2_00439459
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00424460	3_2_00424460
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042846C	3_2_0042846C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043BC30	3_2_0043BC30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00415C3B	3_2_00415C3B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00422C3F	3_2_00422C3F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043F4C0	3_2_0043F4C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00429241	3_2_00429241
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043B4D0	3_2_0043B4D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00427CD5	3_2_00427CD5
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043DCE7	3_2_0043DCE7
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00411480	3_2_00411480
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041DC80	3_2_0041DC80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00427C8F	3_2_00427C8F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00422540	3_2_00422540
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042A550	3_2_0042A550
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00411D74	3_2_00411D74
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00423D78	3_2_00423D78
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00407500	3_2_00407500
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00438D10	3_2_00438D10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041ADD0	3_2_0041ADD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041E5E0	3_2_0041E5E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00418D9F	3_2_00418D9F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00436DBA	3_2_00436DBA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042EE4B	3_2_0042EE4B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00426E50	3_2_00426E50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040EE60	3_2_0040EE60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043EE60	3_2_0043EE60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00424600	3_2_00424600
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00428E34	3_2_00428E34
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00402EC0	3_2_00402EC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004376E0	3_2_004376E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004096A0	3_2_004096A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00416745	3_2_00416745
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042CF46	3_2_0042CF46
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042BF5D	3_2_0042BF5D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043E700	3_2_0043E700
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00406720	3_2_00406720
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00408F20	3_2_00408F20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00415729	3_2_00415729
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043F7C0	3_2_0043F7C0

Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 009080F8 appears 42 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 008FFA60 appears 100 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 00900730 appears 38 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 008FFAE4 appears 34 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 00414510 appears 76 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 0090CFD6 appears 40 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 00408060 appears 46 times

Source: Aura.exe

Static PE information: invalid certificate

Source: Aura.exe, 00000000.00000000.1693100355.000000000097E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Aura.exe
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Aura.exe
Source: Aura.exe, 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Aura.exe
Source: Aura.exe, 00000003.00000000.1700837550.000000000097E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Aura.exe
Source: Aura.exe, 00000003.00000003.1701067407.00000000049B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Aura.exe
Source: Aura.exe	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs Aura.exe

Source: Aura.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Aura.exe

Static PE information: Section: .bss ZLIB complexity 1.0003282289933444

Source: classification engine

Classification label: mal96.troj.evad.winEXE@6/1@10/1

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_00432000 CoCreateInstance,

3_2_00432000

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03

Source: Aura.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Aura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

File read: C:\Users\user\Desktop\Aura.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Aura.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Aura.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Aura.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Aura.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Aura.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Aura.exe

Static PE information: real checksum: 0x899e8 should be: 0x932d7

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_008FFB83 push ecx; ret	0_2_008FFB96
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_008FFB83 push ecx; ret	2_2_008FFB96
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043B870 push eax; mov dword ptr [esp], 68696A6Bh	3_2_0043B87E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0044289D pushfd ; ret	3_2_0044289E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00444918 push cs; iretd	3_2_0044491F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004471CB push ds; retf	3_2_004476AE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00447AB0 push E0669587h; iretd	3_2_00447AB5
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00444CF4 push esp; ret	3_2_00444CF9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00444ED1 push edi; ret	3_2_00444ED3
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043E6B0 push eax; mov dword ptr [esp], AFAEAD9Ch	3_2_0043E6B1

Source: C:\Users\user\Desktop\Aura.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-22756

Source: C:\Users\user\Desktop\Aura.exe TID: 7028

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00911FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00911FE9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00911FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00911FE9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00911F38 FindFirstFileExW,	2_2_00911F38

Source: Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_0043CFA0 LdrInitializeThunk,

3_2_0043CFA0

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_008FF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008FF8E9

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_0092A19E mov edi, dword ptr fs:[00000030h]	0_2_0092A19E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_008F1FB0 mov edi, dword ptr fs:[00000030h]	0_2_008F1FB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_008F1FB0 mov edi, dword ptr fs:[00000030h]	2_2_008F1FB0

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_0090D8E0 GetProcessHeap,

0_2_0090D8E0

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_008FF52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008FF52D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_008FF8DD SetUnhandledExceptionFilter,	0_2_008FF8DD
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_008FF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008FF8E9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00907E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00907E30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_008FF52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_008FF52D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_008FF8DD SetUnhandledExceptionFilter,	2_2_008FF8DD
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_008FF8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008FF8E9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00907E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00907E30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_0092A19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0092A19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Aura.exe

Memory written: C:\Users\user\Desktop\Aura.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: Aura.exe, 00000000.00000002.1701564038.0000000005192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: mindhandru.buzz

Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_0090D1BD
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00911287
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_009114D8
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00911580
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_009117D3
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_00911840
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_00911915
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_00911960
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00911A07
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_00911B0D
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_0090CC15
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_0090D1BD
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00911287
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_009114D8
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00911580
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_009117D3
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_00911840
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_00911915
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_00911960
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00911A07
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_00911B0D
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_0090CC15

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_009000B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_009000B4

Source: C:\Users\user\Desktop\Aura.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Aura.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://hummskitnj.buzz:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
cashfuzysao.buzz	unknown	unknown	true	unknown
scentniej.buzz	unknown	unknown	true	unknown
inherineau.buzz	unknown	unknown	true	unknown
prisonyfork.buzz	unknown	unknown	false	high
rebuildeso.buzz	unknown	unknown	true	unknown
appliacnesot.buzz	unknown	unknown	true	unknown
hummskitnj.buzz	unknown	unknown	true	unknown
mindhandru.buzz	unknown	unknown	false	high
screwamusresz.buzz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
scentniej.buzz	false	high
hummskitnj.buzz	false	high
mindhandru.buzz	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
inherineau.buzz	false	high
prisonyfork.buzz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net03	Aura.exe	false		high
https://steamcommunity.com/?subsection=broadcasts	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net02	Aura.exe	false		high
https://help.steampowered.com/en/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900$	Aura.exe, 00000003.00000002.1753667074.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	Aura.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shopD	Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa03	Aura.exe	false		high
http://store.steampowered.com/privacy_agreement/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900	Aura.exe, 00000003.00000002.1753667074.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aia.entrust.net/ts1-chain256.cer01	Aura.exe	false		high
https://store.steampowered.com/	Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fast	Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hummskitnj.buzz:443/api	Aura.exe, 00000003.00000002.1753667074.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	Aura.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	Aura.exe, 00000003.00000002.1753800424.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.1753667074.0000000002EF4000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753148965.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.entrust.net/rpa0	Aura.exe	false		high
https://store.steampowered.com/about/	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Aura.exe, 00000003.00000003.1753116736.0000000002F43000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000003.1753116736.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581514
Start date and time:	2024-12-27 23:43:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aura.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@6/1@10/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 39 Number of non-executed functions: 157
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target Aura.exe, PID 6952 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Aura.exe

Simulations

Behavior and APIs

Time	Type	Description
17:44:02	API Interceptor	5x Sleep call for process: Aura.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.55.153.106	Installer.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse
	z3IxCpcpg4.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	Installer.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Leside-.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Setup.exe	Get hash	malicious	Unknown	Browse	104.121.10.34
	Setup.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	Installer.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Setup.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	23.55.153.106
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	grand-theft-auto-5-theme-1-installer_qb8W-j1.exe	Get hash	malicious	Unknown	Browse	184.85.182.130
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	23.55.153.106
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	23.55.153.106

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Loader.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	WonderHack.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	Installer.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	NewSetup.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	iviewers.dll	Get hash	malicious	LummaC	Browse	23.55.153.106
	launcher.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Aura.exe
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14402
Entropy (8bit):	4.874636730022465
Encrypted:	false
SSDEEP:	384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
MD5:	DF0EFD0545733561C6E165770FB3661C
SHA1:	0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
SHA-256:	A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
SHA-512:	3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
Malicious:	false
Reputation:	low
Preview:	AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.5671669193870175
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Aura.exe
File size:	569'384 bytes
MD5:	fd5fba5d5bef2952443b96241ffa5814
SHA1:	c6613e363bec49bdf5eb98ccf0f4ee85615cad29
SHA256:	08205d107a6b14818a12e3c8e30c3c7c3300e439359dfc0c99ed026815deca41
SHA512:	c05d7da1000551a91ca7542bdd9a837d99563bf3eab7a98d2ced77be9c171f4f20daa78e1f3dbf577bd6e2d3860bb1c9482ee5e9f5f2539056cc902c63d05f7f
SSDEEP:	12288:mYO6Dqzihouxpa+yWZ+QDKn5zXex8moYjG60VsZy/zQQYBqEO:fO6DThou2+y6b0o8moYy6SsZybvMqt
TLSH:	BDC4E0423691C4B3C953157699B9D779493EBC200F615ACB93A80BFECEB02C15F31A5E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@.......................................@.................................\|j..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4104a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	96d90e8808da099bc17e050394f447e7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/01/2023 19:00:00 16/01/2026 18:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007FA1B46E3AEAh
jmp 00007FA1B46E394Dh
mov ecx, dword ptr [0043B680h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FA1B46E3AE6h
test esi, ecx
jne 00007FA1B46E3B08h
call 00007FA1B46E3B11h
mov ecx, eax
cmp ecx, edi
jne 00007FA1B46E3AE9h
mov ecx, BB40E64Fh
jmp 00007FA1B46E3AF0h
test esi, ecx
jne 00007FA1B46E3AECh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043B680h], ecx
not ecx
pop edi
mov dword ptr [0043B6C0h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00436D00h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00436CB8h]
xor dword ptr [ebp-04h], eax
call dword ptr [00436CB4h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00436D50h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0043CF48h
call dword ptr [00436D28h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FA1B46EA8C3h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a7c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x88a00	0x2628	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x2744	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32608	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36c3c	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b4ca	0x2b600	ebf84c6b836020b1a66433a898baeab7	False	0.5443702719740634	data	6.596404756541432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0xc50c	0xc600	96e76e7ef084461591b1dcd4c2131f05	False	0.40260022095959597	data	4.741850626178578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x3714	0x2800	d87fd4546a2b39263a028b496b33108f	False	0.29814453125	data	5.024681407682101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f000	0x2744	0x2800	c7508b57e36483307c47b7dd73fc0c85	False	0.75166015625	data	6.531416896423856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x42000	0x4b200	0x4b200	819c6c38226d2bfad799df898d1785bc	False	1.0003282289933444	data	7.999409219617241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8e000	0x3fc	0x400	4243bfa36d7c6187562be2edfa0b46c2	False	0.443359375	data	3.391431520369637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e058	0x3a4	data	English	United States	0.44849785407725323

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

ShowWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T23:44:06.239448+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	23.55.153.106	443	TCP
2024-12-27T23:44:07.090017+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49733	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:44:04.787168026 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:04.787301064 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:04.787406921 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:04.799254894 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:04.799309969 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:06.239330053 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:06.239448071 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:06.362715006 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:06.362730980 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:06.363096952 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:06.413516998 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:06.438066006 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:06.483336926 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.090137005 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.090159893 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.090193033 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.090195894 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.090213060 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.090234041 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.090248108 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.090249062 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.090255976 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.090276003 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.090296030 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.274050951 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.274094105 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.274137020 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.274152994 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.274198055 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.282324076 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.282404900 CET	443	49733	23.55.153.106	192.168.2.4
Dec 27, 2024 23:44:07.282481909 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.284612894 CET	49733	443	192.168.2.4	23.55.153.106
Dec 27, 2024 23:44:07.284626007 CET	443	49733	23.55.153.106	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 23:44:02.257605076 CET	55202	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:02.473464966 CET	53	55202	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:02.478322029 CET	62571	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:02.705287933 CET	53	62571	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:02.707771063 CET	56489	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:03.012628078 CET	53	56489	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:03.016460896 CET	64965	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:03.237051010 CET	53	64965	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:03.238784075 CET	54032	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:03.532668114 CET	53	54032	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:03.647356033 CET	59476	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:03.878480911 CET	53	59476	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:03.883863926 CET	52270	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:04.110251904 CET	53	52270	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:04.113481998 CET	58569	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:04.341614008 CET	53	58569	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:04.345160007 CET	60747	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:04.559731007 CET	53	60747	1.1.1.1	192.168.2.4
Dec 27, 2024 23:44:04.562787056 CET	50501	53	192.168.2.4	1.1.1.1
Dec 27, 2024 23:44:04.781461954 CET	53	50501	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 23:44:02.257605076 CET	192.168.2.4	1.1.1.1	0xb5f7	Standard query (0)	mindhandru.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:02.478322029 CET	192.168.2.4	1.1.1.1	0xb35a	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:02.707771063 CET	192.168.2.4	1.1.1.1	0x9111	Standard query (0)	rebuildeso.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.016460896 CET	192.168.2.4	1.1.1.1	0x41c1	Standard query (0)	scentniej.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.238784075 CET	192.168.2.4	1.1.1.1	0x58a0	Standard query (0)	inherineau.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.647356033 CET	192.168.2.4	1.1.1.1	0xffff	Standard query (0)	screwamusresz.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.883863926 CET	192.168.2.4	1.1.1.1	0x8cdf	Standard query (0)	appliacnesot.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:04.113481998 CET	192.168.2.4	1.1.1.1	0xe982	Standard query (0)	cashfuzysao.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:04.345160007 CET	192.168.2.4	1.1.1.1	0xf8d7	Standard query (0)	hummskitnj.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:04.562787056 CET	192.168.2.4	1.1.1.1	0x941f	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 23:44:02.473464966 CET	1.1.1.1	192.168.2.4	0xb5f7	Name error (3)	mindhandru.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:02.705287933 CET	1.1.1.1	192.168.2.4	0xb35a	Name error (3)	prisonyfork.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.012628078 CET	1.1.1.1	192.168.2.4	0x9111	Name error (3)	rebuildeso.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.237051010 CET	1.1.1.1	192.168.2.4	0x41c1	Name error (3)	scentniej.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.532668114 CET	1.1.1.1	192.168.2.4	0x58a0	Name error (3)	inherineau.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:03.878480911 CET	1.1.1.1	192.168.2.4	0xffff	Name error (3)	screwamusresz.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:04.110251904 CET	1.1.1.1	192.168.2.4	0x8cdf	Name error (3)	appliacnesot.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:04.341614008 CET	1.1.1.1	192.168.2.4	0xe982	Name error (3)	cashfuzysao.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:04.559731007 CET	1.1.1.1	192.168.2.4	0xf8d7	Name error (3)	hummskitnj.buzz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 23:44:04.781461954 CET	1.1.1.1	192.168.2.4	0x941f	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	23.55.153.106	443	6988	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 22:44:06 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-27 22:44:07 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 27 Dec 2024 22:44:06 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=53ecd6dd4a2e46ed5fcc15e1; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-27 22:44:07 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-27 22:44:07 UTC	10097	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>
2024-12-27 22:44:07 UTC	1089	IN	Data Raw: 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65 20 55 53 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 75 6e 74 72 69 65 73 2e 3c 62 72 2f 3e 53 6f 6d 65 20 67 65 6f 73 70 61 74 69 61 6c 20 64 61 74 61 20 6f 6e 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 Data Ascii: heir respective owners in the US and other countries.<br/>Some geospatial data on this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br>

Target ID:	0
Start time:	17:44:00
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0x8f0000
File size:	569'384 bytes
MD5 hash:	FD5FBA5D5BEF2952443B96241FFA5814
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:44:00
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:44:01
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0x8f0000
File size:	569'384 bytes
MD5 hash:	FD5FBA5D5BEF2952443B96241FFA5814
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:44:01
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0x8f0000
File size:	569'384 bytes
MD5 hash:	FD5FBA5D5BEF2952443B96241FFA5814
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	25

Executed Functions

Function 0092A19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0092A110,0092A100), ref: 0092A334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0092A347
Wow64GetThreadContext.KERNEL32(00000094,00000000), ref: 0092A365
ReadProcessMemory.KERNELBASE(00000098,?,0092A154,00000004,00000000), ref: 0092A389
VirtualAllocEx.KERNELBASE(00000098,?,?,00003000,00000040), ref: 0092A3B4
TerminateProcess.KERNELBASE(00000098,00000000), ref: 0092A3D3
WriteProcessMemory.KERNELBASE(00000098,00000000,?,?,00000000,?), ref: 0092A40C
WriteProcessMemory.KERNELBASE(00000098,00400000,?,?,00000000,?,00000028), ref: 0092A457
WriteProcessMemory.KERNELBASE(00000098,?,?,00000004,00000000), ref: 0092A495
Wow64SetThreadContext.KERNEL32(00000094,03450000), ref: 0092A4D1
ResumeThread.KERNELBASE(00000094), ref: 0092A4E0

Strings

WriteProcessMemory, xrefs: 0092A2AF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 0092A333
VirtualAllocEx, xrefs: 0092A29C
ReadProcessMemory, xrefs: 0092A289
Load, xrefs: 0092A1DA
GetP, xrefs: 0092A21E
aryA, xrefs: 0092A1E2
VirtualAlloc, xrefs: 0092A263
TerminateProcess, xrefs: 0092A3C3
GetThreadContext, xrefs: 0092A276
SetThreadContext, xrefs: 0092A2C2
ResumeThread, xrefs: 0092A2D8
ress, xrefs: 0092A226
CreateProcessW, xrefs: 0092A250

Memory Dump Source

Source File: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: e6e063914b37e49d3c39006cfaf3639f20a0bc35b59d948135e637e11d002864
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 8EB1077260064AAFDB60CF68CC80BDAB3A5FF88714F158524EA0CAB345D774FA51CB94

Function 008F1FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008F1240: _strlen.LIBCMT ref: 008F12BA

CreateFileA.KERNELBASE ref: 008F2036
GetFileSize.KERNEL32(00000000,00000000), ref: 008F2046
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 008F206B
CloseHandle.KERNELBASE(00000000), ref: 008F207A
_strlen.LIBCMT ref: 008F20CD
CloseHandle.KERNEL32(00000000), ref: 008F21FD

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: e7d22804882f39afd928f0a8bbdb194b1442a3322fbfef1f25e3c556943f09f2
Instruction ID: 87a790d16f9c4921a2ab58c38188dbc5348704e308093cb64900f04a3f945059
Opcode Fuzzy Hash: e7d22804882f39afd928f0a8bbdb194b1442a3322fbfef1f25e3c556943f09f2
Instruction Fuzzy Hash: 5E71C1B2C002189BCB10DFB8DC45BAEBBB5FF48324F140628E914E7391E735A945CBA1

Function 008F1000 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d824e9a4f2a1244f83c163017fddc499c947c36e860494042c73f6a920c7267
Instruction ID: 68da7c00487212f4d05bd3d27a58c8c77c95bb70c98a0e8da67168ceec00710d
Opcode Fuzzy Hash: 9d824e9a4f2a1244f83c163017fddc499c947c36e860494042c73f6a920c7267
Instruction Fuzzy Hash: A1215C3361056D4B8B5C9F386C66037FB4AEBC25A0705573AEE12DF3C1E921DD1082E8

Function 008F24B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 008F24DD
ShowWindow.USER32(00000000,00000000), ref: 008F24E6
GetCurrentThreadId.KERNEL32 ref: 008F2524

Part of subcall function 008FF11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,008F253A,?,?,00000000), ref: 008FF129
Part of subcall function 008FF11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,008F253A,?,?,00000000), ref: 008FF142
Part of subcall function 008FF11D: CloseHandle.KERNEL32(?,?,?,008F253A,?,?,00000000), ref: 008FF154

std::_Throw_Cpp_error.LIBCPMT ref: 008F2567
std::_Throw_Cpp_error.LIBCPMT ref: 008F2578
std::_Throw_Cpp_error.LIBCPMT ref: 008F2589
std::_Throw_Cpp_error.LIBCPMT ref: 008F259A

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 96a798ed87ba89e3101259afd4644aac8e5846a9d44a0ac7cc9f95866f46b2f5
Instruction ID: 60d56eb7fa701a5131df057c5a35c4a559d0238a9b04bbcaf9db935ad581eef8
Opcode Fuzzy Hash: 96a798ed87ba89e3101259afd4644aac8e5846a9d44a0ac7cc9f95866f46b2f5
Instruction Fuzzy Hash: 842167F1D4021D9BDF50AFB4DC06BAE7AB4FF04710F180125F708B6281E7B5A514CAA6

Function 0090CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,DD9B9B17,?,0090D01A,?,?,00000000), ref: 0090CFCC

Strings

ext-ms-, xrefs: 0090CF76
api-ms-, xrefs: 0090CF62

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 0b0602c0055b580114544af68d54f01807215103e307e3d575991412f6bd672c
Instruction ID: 5b8ce6770818b78070694d811cd15896cb214432413cecf4700ca5be81cc417a
Opcode Fuzzy Hash: 0b0602c0055b580114544af68d54f01807215103e307e3d575991412f6bd672c
Instruction Fuzzy Hash: 552157B1B56312AFC731AB65EC40A5A7B6EDB81760F240311FB45A72D0DB70ED01D6D1

Function 008F1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 008F1783

Strings

ios_base::failbit set, xrefs: 008F1BEF
ios_base::badbit set, xrefs: 008F1BFA, 008F1C20
ios_base::eofbit set, xrefs: 008F1BEA

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: a471d6db9145f49595e996af98fa91c821b28282c80490c42c5a370be90c6fa8
Instruction ID: e260882cdc1ec1a7c41f205ee954be2c2bcc80ef2ce42368813a3b3b768b2817
Opcode Fuzzy Hash: a471d6db9145f49595e996af98fa91c821b28282c80490c42c5a370be90c6fa8
Instruction Fuzzy Hash: 48F14975A00218CFCF14DF68C498AADBBB1FF88324F194269E915AB391D774AD41CB90

Function 00905349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 00905392
GetLastError.KERNEL32(?,?,?,008F2513,00000000,00000000), ref: 0090539E
__dosmaperr.LIBCMT ref: 009053A5

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: c601bacdaeb366b31dc137ea448dec3838957e4624ff1784a8c813d3405ba8ae
Instruction ID: e27f3d828d0af58579ef8acb1a481f2a01af1621975ad64f6d27bc0693cd7c58
Opcode Fuzzy Hash: c601bacdaeb366b31dc137ea448dec3838957e4624ff1784a8c813d3405ba8ae
Instruction Fuzzy Hash: DA018C72904619EFDF15AFA0DC06AAF7B69FF403A0F018058F801921D0EBB1DA40DB90

Function 009054EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0090C2BB: GetLastError.KERNEL32(00000000,?,009076E9,0090D306,?,?,0090C1B7,00000001,00000364,?,00000005,000000FF,?,00905495,00928E38,0000000C), ref: 0090C2BF
Part of subcall function 0090C2BB: SetLastError.KERNEL32(00000000), ref: 0090C361

CloseHandle.KERNEL32(?,?,?,009053D9,?,?,009054CE,00000000), ref: 0090551F
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,009053D9,?,?,009054CE,00000000), ref: 00905535
ExitThread.KERNEL32 ref: 0090553E

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: fb26a4d4a976cbf6fbc3ceea5a787824779ab44a6f74df077a5070eb1d9e1a91
Instruction ID: a504ceb95ad4ed59bdd689b4fd9f58867c4d5394a7bb0f2bbafb3ffe8cf15175
Opcode Fuzzy Hash: fb26a4d4a976cbf6fbc3ceea5a787824779ab44a6f74df077a5070eb1d9e1a91
Instruction Fuzzy Hash: 62F05EB1104A006FCB316B75DC08A1B3A9EAF01370B0A4614F8A9C74E0DB20DD42DB90

Function 0090565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00905721,00908396,00908396,?,00000002,DD9B9B17,00908396,00000002), ref: 00905670
TerminateProcess.KERNEL32(00000000,?,00905721,00908396,00908396,?,00000002,DD9B9B17,00908396,00000002), ref: 00905677
ExitProcess.KERNEL32 ref: 00905689

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 85553cd410fe2d797393fa84bf35afe9afcdbc7abe6b7f4c0db78d7d533e84c3
Instruction ID: 6d099b6fa26ab0c3dbe72284cc79eaae5cc8032a16b509154c367e1c2b4b0ca2
Opcode Fuzzy Hash: 85553cd410fe2d797393fa84bf35afe9afcdbc7abe6b7f4c0db78d7d533e84c3
Instruction Fuzzy Hash: EBD09231014648BFCF217F61DC0D99A3F2AEF80391B458010BA894A4B2DF329993EE84

Function 00913BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00913F9E: GetConsoleOutputCP.KERNEL32(DD9B9B17,00000000,00000000,?), ref: 00914001

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00908584,?), ref: 00913D79
GetLastError.KERNEL32(?,?,00908584,?,009087C8,00000000,?,00000000,009087C8,?,?,?,00928FE8,0000002C,009086B4,?), ref: 00913D83

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 058f849b390095c691b85054e6f4bf3d4bf9f450b002910838f46372fa5b63dd
Instruction ID: f45cb9b9140ba8d8781ad9b6cf29b10b8dad672581dc518cd61ad66f35798b51
Opcode Fuzzy Hash: 058f849b390095c691b85054e6f4bf3d4bf9f450b002910838f46372fa5b63dd
Instruction Fuzzy Hash: 8161D2B5E0411DAFDF11DFA8D884AEEBFB9AF49304F144549E840B7291D335DA82CBA0

Function 009143CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00913D5F,00000000,009087C8,?,00000000,?,00000000), ref: 00914469
GetLastError.KERNEL32(?,00913D5F,00000000,009087C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00908584), ref: 0091448F

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8bf90a38505060b7f14222447462a5a68d364850d3ac8d54355dae51c02fa04e
Instruction ID: 59a8df3e3034e0ec4d40e2583a081688e3d2d20190a4528df47303d0355adf9e
Opcode Fuzzy Hash: 8bf90a38505060b7f14222447462a5a68d364850d3ac8d54355dae51c02fa04e
Instruction Fuzzy Hash: 6B217E35B002199BCF19CF69DC80AE9B7F9EB4C305F1444A9EA06D7261D630AD82CF65

Function 008F90F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 008F91C9
std::_Throw_Cpp_error.LIBCPMT ref: 008F91D7

Part of subcall function 008FEFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,008F8E4A,008FA2F0), ref: 008FEFE7

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: 77cca479f5b686ef0aa0782869beb30b89c066e035921ec3ee5c240d1b0dd657
Instruction ID: 3c2415e228b28d0df2c16901ea3359c6c4cf3e923dda99ece5a39b305e2670ab
Opcode Fuzzy Hash: 77cca479f5b686ef0aa0782869beb30b89c066e035921ec3ee5c240d1b0dd657
Instruction Fuzzy Hash: 2321F6B09006499BDB109F78C9457BEBBB4FB04320F144228E65597381D734A945CBD2

Function 0090DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,0090D941,00929330,0000000C), ref: 0090DA9E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,0090D941,00929330,0000000C), ref: 0090DAB0

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 35a341881d330d1d2ed34d1736b458044d4d4c359fee185e630051b2d5ce2875
Instruction ID: 6f1ba9525eca1d6a2f47244b97f12565b0fca8f6cb63627a355ceae52a469a49
Opcode Fuzzy Hash: 35a341881d330d1d2ed34d1736b458044d4d4c359fee185e630051b2d5ce2875
Instruction Fuzzy Hash: 9011B67170D7424ECB308EBE8C88623BE99AB56330B38075AD1B6C69F1C7B4D986D641

Function 008F1EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008F1240: _strlen.LIBCMT ref: 008F12BA

FreeConsole.KERNELBASE(?,?,?,?,?,008F173F,?,?,?,00000000,?), ref: 008F1F21
VirtualProtect.KERNELBASE(0092A011,00000549,00000040,?), ref: 008F1F78

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID:
API String ID: 1248733679-0
Opcode ID: 32ce3f97b13a3cb516f785a1bae33b4a1709384bc8c890ee58478e19f68b3103
Instruction ID: b0f294bda6fd7716873dd9087b5cf389cd824b18427b6256cdf1b19e4a726775
Opcode Fuzzy Hash: 32ce3f97b13a3cb516f785a1bae33b4a1709384bc8c890ee58478e19f68b3103
Instruction Fuzzy Hash: 1C113A71B40118ABDF10BBB4AC06EFE37B4EB85704F004024F604E72C2EA71695157C6

Function 00905470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00928E38,0000000C), ref: 00905483
ExitThread.KERNEL32 ref: 0090548A

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 6eab952ef1501b7ec121a81b9cb05564fb6804f67740e3f7ef3e5016cc48a07e
Instruction ID: 603af4fcb717b5e4bf283c5918bc71b33d0b0a850e4b3fea485f820a2408dc3c
Opcode Fuzzy Hash: 6eab952ef1501b7ec121a81b9cb05564fb6804f67740e3f7ef3e5016cc48a07e
Instruction Fuzzy Hash: A0F0A9B1A00614AFDB20BFB0C80AA6E3B74FF80B10F114159F106972E2DF746982DBA1

Function 008F2270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 008F2288
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 008F229C

Part of subcall function 008F1FB0: CreateFileA.KERNELBASE ref: 008F2036
Part of subcall function 008F1FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 008F2046
Part of subcall function 008F1FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 008F206B
Part of subcall function 008F1FB0: CloseHandle.KERNELBASE(00000000), ref: 008F207A
Part of subcall function 008F1FB0: _strlen.LIBCMT ref: 008F20CD

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: File$HandleModule$CloseCreateNameReadSize_strlen
String ID:
API String ID: 3505371420-0
Opcode ID: 595e7203bf7149fc7ba73ad95e91ced766ac2206c6ee795f69276305cea81e8c
Instruction ID: b40b91d01286e20212672db0e2a58ada79468709d2e5125c98cd6db73484c1e9
Opcode Fuzzy Hash: 595e7203bf7149fc7ba73ad95e91ced766ac2206c6ee795f69276305cea81e8c
Instruction Fuzzy Hash: F6F0E5B1A142106BD535B724AC4FFAB7BACDF95720F000514F6898A181EA74214696D3

Function 0090BED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,009102B4,?,00000000,?,?,0090FF54,?,00000007,?,?,0091089A,?,?), ref: 0090BEED
GetLastError.KERNEL32(?,?,009102B4,?,00000000,?,?,0090FF54,?,00000007,?,?,0091089A,?,?), ref: 0090BEF8

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e98cebf1baf3a8b56e103400dc7717807e26ff374b2ef16fe8ec47bb37a98903
Instruction ID: bd668754e2f2e3080dc87f9e7e2df7496070c517f6c5422c90cd6da9510d875e
Opcode Fuzzy Hash: e98cebf1baf3a8b56e103400dc7717807e26ff374b2ef16fe8ec47bb37a98903
Instruction Fuzzy Hash: C6E08C32619254AFCB313FA4AC08B997B68EB403A1F104021F708971F0CB31A941DB94

Function 0090C16A Relevance: 2.6, APIs: 2, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
SetLastError.KERNEL32(00000000), ref: 0090C210

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 3e7f2affd77955fce9abd89dd62a9a32b44cc5812fa3842dda01243c0e735071
Instruction ID: c8b9899881f7903c55a4de04c4a281fc440f5b6fd8c19b800e321d672344ca73
Opcode Fuzzy Hash: 3e7f2affd77955fce9abd89dd62a9a32b44cc5812fa3842dda01243c0e735071
Instruction Fuzzy Hash: F211E9B12996146FE7613BF4ACC7F2736DDAF80768B240724F620915E3DB548C06A191

Function 008FDEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b527cdb85beed671a2be3b4e1e8b2ee9bda5a317c5adbe6142f69166faa0570a
Instruction ID: e03245da223956815b42e5aa0b5d986089b08f5e2ce081df9e7ec87c761de81a
Opcode Fuzzy Hash: b527cdb85beed671a2be3b4e1e8b2ee9bda5a317c5adbe6142f69166faa0570a
Instruction Fuzzy Hash: 48418E32A0021EAFCB14DF78C8949FDB7B9FF58314B540169E642E7A90EB31E945DB90

Function 008FCB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e900321fe61135b299d67ed9c72774168a2794ee8b29099f5d8940fe8d4507ef
Instruction ID: c545da6f9d7d625cd88efe1269d5e837a0575943225e60da91ab75350e313b4c
Opcode Fuzzy Hash: e900321fe61135b299d67ed9c72774168a2794ee8b29099f5d8940fe8d4507ef
Instruction Fuzzy Hash: 6131937290011EAFCB14DF78D9909FDB7B8FF09324B14026AE616E3690E731EA44DB90

Function 008FB060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 008FAFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,008F8A2A,?,?,008FAF87,008F8A2A,?,008FAF58,008F8A2A,?,?,?), ref: 008FAFD0

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,DD9B9B17,?,?,?,Function_0002BE94,000000FF), ref: 008FB0C7

Part of subcall function 008FAEFA: std::_Throw_Cpp_error.LIBCPMT ref: 008FAF1B

Part of subcall function 008FEFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,008F8E4A,008FA2F0), ref: 008FEFE7

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: 0eddd4a4332b0e9080d91e5f8facfffba59a570241b36dda19fc83f12a612b0c
Instruction ID: 69e03134ec569fe73fa1188ea9e031efe3efcafe09bf05d65e1c55d22cdd8e33
Opcode Fuzzy Hash: 0eddd4a4332b0e9080d91e5f8facfffba59a570241b36dda19fc83f12a612b0c
Instruction Fuzzy Hash: E111E2B27046589BCA39BB39DC11A3E77A9FB81B31F00442AF615CB690CF349941DA92

Function 0090CFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d47df6493a07d535e9f2d024629a4db20b8ae8fb5d4064d84230f1e0744c8a
Instruction ID: f943d1db2e2eada1ca5efd997ab983472adbf1bca9839878edd0e552dd1d166d
Opcode Fuzzy Hash: 11d47df6493a07d535e9f2d024629a4db20b8ae8fb5d4064d84230f1e0744c8a
Instruction Fuzzy Hash: 0801F5332252159FDB268FA8EC4091633BABBC0724B254524F918D70D8DB31D802A790

Function 008FCB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 6e616940b158dd1625fae93f47d48ba0ee825282f0b326ee16e6ad2d558d1206
Instruction ID: 760bb33aedb5cbb60091f86c8fa99fbe0a53f1f333695a14e3e4fbe1ce5c68f9
Opcode Fuzzy Hash: 6e616940b158dd1625fae93f47d48ba0ee825282f0b326ee16e6ad2d558d1206
Instruction Fuzzy Hash: B101447A64828E4ECB099B3CFA652B8BB10FFA5338B20816FD211C44C2CB139A64D300

Function 0090D2B4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0090C1B7,00000001,00000364,?,00000005,000000FF,?,00905495,00928E38,0000000C), ref: 0090D2F5

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 73773d816fe9fa058d678792f3e09324a5880240bd96b73c96428a5a2cbb8017
Instruction ID: 96463ed261ab530e1ad2bf11eaf509a8a50d4153c3e76f76b1493deefc8b8ff2
Opcode Fuzzy Hash: 73773d816fe9fa058d678792f3e09324a5880240bd96b73c96428a5a2cbb8017
Instruction Fuzzy Hash: 2EF0E931617624AFDF216AEA9C01B5F7B4DAF817B0B154121BC24D60D0CB30DC00D6E1

Function 008F7770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 008F77C6

Part of subcall function 008FAF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,008F78DA,00000000), ref: 008FAF72

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
String ID:
API String ID: 312417170-0
Opcode ID: 523979cffbfdcc36e54ade3f0c06f61de17c73c2b3c713b8750c99edbe0c82a3
Instruction ID: 75bec5b21c0f53e36b7cea4aad8c729ab8895bc7fe613f1fd23a2a587cf12926
Opcode Fuzzy Hash: 523979cffbfdcc36e54ade3f0c06f61de17c73c2b3c713b8750c99edbe0c82a3
Instruction Fuzzy Hash: C9014BF1C006599BDB04EF98DC457AEBBB4FB44720F004239E919A7740E779AA85CBD2

Function 0090BF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0090DF35,?,?,0090DF35,00000220,?,00000000,?), ref: 0090BF43

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7bf057379394b472c212e27ae550873afaff065f3a1e389531e833c694a3e463
Instruction ID: 538309837e28a91ffeb56636e2184813fcff78af2bf1cdac58398e2de95ad6cd
Opcode Fuzzy Hash: 7bf057379394b472c212e27ae550873afaff065f3a1e389531e833c694a3e463
Instruction Fuzzy Hash: F9E06D3121A6276EDA213A669C00B5B7A4C9F81BE0F150161EE5DD71E0DB20EC00E9A1

Function 008F98F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008F990F

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 422c2ceb23bcf3ec457a85a20a2f4d2ac9255ed95a85bdd58e843954bf3859b9
Instruction ID: ea1c5332887ff93cdddad99d2566b5edb8e0bb7390a42546af39e34448893409
Opcode Fuzzy Hash: 422c2ceb23bcf3ec457a85a20a2f4d2ac9255ed95a85bdd58e843954bf3859b9
Instruction Fuzzy Hash: 9BD05E397051284B46247B39A81492E6391FFC8B203660599E940D7355CB24AC428780

Non-executed Functions

Function 00917792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009179A9

Strings

1#IND, xrefs: 00917897
1#SNAN, xrefs: 0091789E
1#INF, xrefs: 009178C8
1#QNAN, xrefs: 009178A5

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b27b1b2adf157de7b1455db0503bc4bbafeb69e3d028412657097b4026f105f2
Instruction ID: 90ad9fe7696f4e076847edfa7bdbe3ecff4494fd1d5fa1dc76a7337a7a03d5ea
Opcode Fuzzy Hash: b27b1b2adf157de7b1455db0503bc4bbafeb69e3d028412657097b4026f105f2
Instruction Fuzzy Hash: C9D22871E0822D8FDB65CE28DD447EAB7B9EB84304F1445EAD40DA7280DB78AEC59F41

Function 00911A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,009113BD,00000002,00000000,?,?,?,009113BD,?,00000000), ref: 00911AA0
GetLocaleInfoW.KERNEL32(?,20001004,009113BD,00000002,00000000,?,?,?,009113BD,?,00000000), ref: 00911AC9
GetACP.KERNEL32(?,?,009113BD,?,00000000), ref: 00911ADE

Strings

OCP, xrefs: 00911A5B
ACP, xrefs: 00911A25

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 635bf4b9d357963a46273597a4ff4242ac25af6b112b1cfaa925193029080e77
Instruction ID: 64f9743a0c5002336b99dd9c990e4bd890239da408030f28490820ca1e4abce4
Opcode Fuzzy Hash: 635bf4b9d357963a46273597a4ff4242ac25af6b112b1cfaa925193029080e77
Instruction Fuzzy Hash: 43219532B06108BADB34DF64CA00AD77BAEEF54B54B968465EB0AD7204E732DDC1C350

Function 00911287 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0091138F
IsValidCodePage.KERNEL32(00000000), ref: 009113CD
IsValidLocale.KERNEL32(?,00000001), ref: 009113E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00911428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00911443

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 0c03937492998f859f46ad201d0fc6c4933a5f295525dad1a477b290d8b4a157
Instruction ID: c427d3f5156eda74f36c0349d8d98eed842afa83dc9b1755df9d50bc5521c5c8
Opcode Fuzzy Hash: 0c03937492998f859f46ad201d0fc6c4933a5f295525dad1a477b290d8b4a157
Instruction Fuzzy Hash: 84515B71B0021EBBEB20EFA5CC45AFE77B8AF44B00F444529EA15E7194E7709A81CB61

Function 00909CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: 13bff2ff999995c6441d1f252a9ee51b9b77f4d1641298ac2ee19dc4ed27f125
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 9B022B71E012199FDF14CFA9C9807AEBBB5FF89314F248269E515E7381D731AD418B90

Function 00911FE9 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 009120D9
FindNextFileW.KERNEL32(00000000,?), ref: 009121CD
FindClose.KERNEL32(00000000), ref: 0091220C
FindClose.KERNEL32(00000000), ref: 0091223F

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: a420b2c36f96bf75d6c65a5ed0c54501c7978900fc072f16c3d054dc3378794a
Instruction ID: a64e31e934d54ef2449c23fbe33be766005b8980f6453919541e5e2e31bc765c
Opcode Fuzzy Hash: a420b2c36f96bf75d6c65a5ed0c54501c7978900fc072f16c3d054dc3378794a
Instruction Fuzzy Hash: 4771E071A0516C6EDF25EF28CC89AFEB7B8AB49300F1442D9E158A3251DA304ED59F10

Function 008FF8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 008FF8F5
IsDebuggerPresent.KERNEL32 ref: 008FF9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008FF9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 008FF9E4

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 82e87e58fe44afc6382f85bd52c8e5ed147c11cfd64e897ab3c020a17023eb15
Instruction ID: ac58ad54114cfc7f6d6f1a7d6e7ec7a39e484c25dcea4323aadfa68d35e92897
Opcode Fuzzy Hash: 82e87e58fe44afc6382f85bd52c8e5ed147c11cfd64e897ab3c020a17023eb15
Instruction Fuzzy Hash: 923103B5D0521CAADB21DFA4DD497CDBBB8BF08300F1041AAE50CAB290EB719A85CF45

Function 00911580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 009115D4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0091161E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 009116E4

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 50aea23c8e9a2fbcbf5db99172886cd29d4b72fe298374f79c21d386d1cb5a9f
Instruction ID: e638d99d692d89d1dcee44e4d1bc7189a548328875058423ab861d89d997f549
Opcode Fuzzy Hash: 50aea23c8e9a2fbcbf5db99172886cd29d4b72fe298374f79c21d386d1cb5a9f
Instruction Fuzzy Hash: B661AC7171060BAFDB289F28CC82BBA73A8EF04740F14427AEA05C62C5E739D9C1DB54

Function 00907E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00907F28
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00907F32
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00907F3F

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 457b1916e291badf21275508b3028f84f6ba1dcd20c6c988dd7fbcd9bcad3e5a
Instruction ID: 34668c62aa567cbfa38c5422211f5926e6972fa0cb24142ffad021a8ab2bae0d
Opcode Fuzzy Hash: 457b1916e291badf21275508b3028f84f6ba1dcd20c6c988dd7fbcd9bcad3e5a
Instruction Fuzzy Hash: B031B27491122DABCB21DF68DC8979DBBB8BF18310F5041EAE50CA7291E7709F858F45

Function 009000B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 009000EC
GetSystemTimeAsFileTime.KERNEL32(?,DD9B9B17,008F8E30,?,0091BE77,000000FF,?,008FFDB4,?,00000000,00000000,?,008FFDD8,?,008F8E30,?), ref: 009000F0

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 7e69d50066af8189954e74370cd801b228f7adeda3766964aeee4205ebe60a82
Instruction ID: 539b52c59446de49f1afb865b04c1e428efcb4ebbe2fcaeb68c62f2c9d619ee0
Opcode Fuzzy Hash: 7e69d50066af8189954e74370cd801b228f7adeda3766964aeee4205ebe60a82
Instruction Fuzzy Hash: 88F06576A58658EFC7219F44DC04BAEB7B8F748B24F00062AE81293B90DB356901EBC0

Function 00915C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00915BB9,?,?,00000008,?,?,0091BCAB,00000000), ref: 00915E8B

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 60a2e4f46e63256e2028045268902d8cd5dd614d7eae217d109f7cc7cdfc1123
Instruction ID: c235ef4c7a0448c5d485e90acec39f2ff842ed8380a2f4f9c9dcfa003f6769cc
Opcode Fuzzy Hash: 60a2e4f46e63256e2028045268902d8cd5dd614d7eae217d109f7cc7cdfc1123
Instruction Fuzzy Hash: 9CB12C35610A09DFD715CF28C48ABA57BE0FF85364F2A8658E899CF2E1C735D992CB40

Function 008FF555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 008FF56B

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: a799bee42e8eea795dc7d671d32c9940aacb074ae79fd9695c9049f2a6767d62
Instruction ID: e5a3e0211cbb753ed4e0ba2ca6d037632270609259819f43cbed901a5bbbba53
Opcode Fuzzy Hash: a799bee42e8eea795dc7d671d32c9940aacb074ae79fd9695c9049f2a6767d62
Instruction Fuzzy Hash: 2AA1BDB29256098FDB28CF68D8817ADBBF5FB48360F24853AD615E73A1D3349981CF50

Function 00911840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00911894

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c6f402a840fd35df352378a4f8e237c4aac7963833f657aa2f59caecae77f83d
Instruction ID: be9665b68b2bf760f9cb9d3115f34748ff85f7dfcf18c8b117095587fc7c6939
Opcode Fuzzy Hash: c6f402a840fd35df352378a4f8e237c4aac7963833f657aa2f59caecae77f83d
Instruction Fuzzy Hash: 9721C57271420BBBEB289B25DC41AFA77ACEF44711B1081BAFE02D6181EB34ED80D750

Function 00903FB2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00904136

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 01542c15733ec080217b428a0d7068cb3564b19ac3afa897608b85d8293ad1a0
Instruction ID: 1936c5e9b5c9e7e9d305452cb5db2e748d1e00c129231fdd4f1aeb2d413a3160
Opcode Fuzzy Hash: 01542c15733ec080217b428a0d7068cb3564b19ac3afa897608b85d8293ad1a0
Instruction Fuzzy Hash: D7B1D2F0A0460A8FCB24CF68C9556BEBBB9AF51300F14461DEB62A76D1C735EE41CB91

Function 009114D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

EnumSystemLocalesW.KERNEL32(00911580,00000001,00000000,?,-00000050,?,00911363,00000000,-00000002,00000000,?,00000055,?), ref: 0091154A

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: edda4267cbd2062891919396a0daa3363644e18e8c927debad9024a9dbead514
Instruction ID: 660bfc5465a72e4a527c63d00065b6aba871c1d9fb71f91de429241d28358fdb
Opcode Fuzzy Hash: edda4267cbd2062891919396a0daa3363644e18e8c927debad9024a9dbead514
Instruction Fuzzy Hash: 9111E9363047056FDB189F39C8916BAB796FFC0758B14442DE68747B40E771B982D740

Function 00911960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 009119B4

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ff0b22dd05f9a6e100ae9c1e92ba5a5ee9b3ad6fe8a10868ea0f9e0ddb5c978a
Instruction ID: 0933845fda5de788b9c3080386f06d7e1cff39df57c70ed3eade42d25f34f152
Opcode Fuzzy Hash: ff0b22dd05f9a6e100ae9c1e92ba5a5ee9b3ad6fe8a10868ea0f9e0ddb5c978a
Instruction Fuzzy Hash: 4411027261120AABDB18AF68DC52ABB77ECEF44720B10417AF602D7181EB38ED459750

Function 00911B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0091179C,00000000,00000000,?), ref: 00911B39

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5cf55b6138b403440ca74628ad8b513c76fff204235fb99b0dd5d0d4f14199af
Instruction ID: 380479bad888bb90abd8a48a552a1242fce897475278d82558742ed45f3e67eb
Opcode Fuzzy Hash: 5cf55b6138b403440ca74628ad8b513c76fff204235fb99b0dd5d0d4f14199af
Instruction Fuzzy Hash: B601F93275811ABBDB2C5B648C05BFA3768EF40754F154828EE46A31C4FB74FE81C690

Function 009117D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

EnumSystemLocalesW.KERNEL32(00911840,00000001,?,?,-00000050,?,0091132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 0091181D

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4a2d6e1a61f10ef246e7f177a878c700e0800f68af673aecb12a46868b4ea4be
Instruction ID: 991ccbc82a71d7628a35eafbbe936314e8492e8dd9afa844cab4863f5c5a7509
Opcode Fuzzy Hash: 4a2d6e1a61f10ef246e7f177a878c700e0800f68af673aecb12a46868b4ea4be
Instruction Fuzzy Hash: 2EF0F6363043086FDB255F79DC81BBA7B95EFC0768F05846CFB464BA90D6B19C82D650

Function 0090D1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009080E1: EnterCriticalSection.KERNEL32(?,?,0090C5F8,?,00929290,00000008,0090C4EA,?,?,?), ref: 009080F0

EnumSystemLocalesW.KERNEL32(0090D1B0,00000001,00929310,0000000C,0090CB11,-00000050), ref: 0090D1F5

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: f8ae6b69dbea49dbe991376e825db89322b174be57a7e8086ef1a2af6eb068eb
Instruction ID: 52a226f4055854edc2a4b239bdd456f107e905cd816ce931987c600b8f9543ad
Opcode Fuzzy Hash: f8ae6b69dbea49dbe991376e825db89322b174be57a7e8086ef1a2af6eb068eb
Instruction Fuzzy Hash: 52F03772A19214EFDB20EFA8E842B9977F0EB89729F00812AF5109B2E0DB754941DF41

Function 00911915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

EnumSystemLocalesW.KERNEL32(00911960,00000001,?,?,?,00911385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 0091194C

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2574f117ed43a88deb071a5cbc75e739c6f02f1f5d0048d0063906aed17ee86f
Instruction ID: 78903ea8fc57c27f38afca88adca02693c3b1e1a5723fc6d46e09787e12b8040
Opcode Fuzzy Hash: 2574f117ed43a88deb071a5cbc75e739c6f02f1f5d0048d0063906aed17ee86f
Instruction Fuzzy Hash: 19F0EC3530020967CB14AF35DC656A67FA4EFC1B54F064059EB558B551C6719883D790

Function 0090CC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00906E33,?,20001004,00000000,00000002,?,?,00905D3D), ref: 0090CC49

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2e5f329caede7187c28bc481877a53f582c07784659bcfaca7febba33cd0eec1
Instruction ID: c5f0f3f9910714202c41c451ce4db8134be3b27201d27bd4dd987ac4ee3daf7f
Opcode Fuzzy Hash: 2e5f329caede7187c28bc481877a53f582c07784659bcfaca7febba33cd0eec1
Instruction Fuzzy Hash: 34E04F7150123CBFCF223FA0ED05E9E3E2AEF44B50F048525FD49661A1CB359922BB90

Function 008FF8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 008FF8E2

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7b46bf9c384747644262aeb42ea2100f2085d7ef3ec243c7420e3b67c2f2eb2a
Instruction ID: ddc8343918cbc432b03df08a6b9b1f05a7ef4b62d5fe5928fbeb241b466b004d
Opcode Fuzzy Hash: 7b46bf9c384747644262aeb42ea2100f2085d7ef3ec243c7420e3b67c2f2eb2a
Instruction Fuzzy Hash:

Function 0090D8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0090D8E0

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 79f491ff973dded53fb93f4b05e2aa59a77b3a268f862eb95309066a55f47ca1
Instruction ID: 6dc8185e4b611f93cd4c317a826c9888d83e0fe6e0a1c40a84940ac1f981cb2b
Opcode Fuzzy Hash: 79f491ff973dded53fb93f4b05e2aa59a77b3a268f862eb95309066a55f47ca1
Instruction Fuzzy Hash: D3A012302161018B43109F355D042083598A5005D030080255440C2070DB3041017F40

Function 0091AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,0091AACD,?,?,?,?,?,?,?,?,?), ref: 0091AB88
__alloca_probe_16.LIBCMT ref: 0091AC43
__alloca_probe_16.LIBCMT ref: 0091ACD2
__freea.LIBCMT ref: 0091AD1D
__freea.LIBCMT ref: 0091AD23
__freea.LIBCMT ref: 0091AD59
__freea.LIBCMT ref: 0091AD5F
__freea.LIBCMT ref: 0091AD6F

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: d785608b846e440d33e0d1b7647915fcc366a9f5c79c0dcc9d316c3318f37a76
Instruction ID: 0c905d0636f393a4f62851c4f836dda9d82e30a45721eb405c7c7033a980a467
Opcode Fuzzy Hash: d785608b846e440d33e0d1b7647915fcc366a9f5c79c0dcc9d316c3318f37a76
Instruction Fuzzy Hash: D9710376B0564E9FDF219EA49C41FEF77AAEF45310F290455EA04A7292E7348C808792

Function 008FFE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 008FFE70
__alloca_probe_16.LIBCMT ref: 008FFE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 008FFEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008FFEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008FFF37
__alloca_probe_16.LIBCMT ref: 008FFF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008FFF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 008FFFB9

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 8cce2f90b7b7e4d5fdbc970675b596361427ce8bdecac0434b8cae1a571bf29f
Instruction ID: 283d13e0ee36e1b47f552b51a3080704289aaaee2edb23713a1781a5aa7fbe01
Opcode Fuzzy Hash: 8cce2f90b7b7e4d5fdbc970675b596361427ce8bdecac0434b8cae1a571bf29f
Instruction Fuzzy Hash: 7451797260021EAFEB205F74CC45FBA7AA9FF41754F254439FB14EA1A2EF708D119A60

Function 0090EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0090EEFC

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: 35de1921084bfa8adb079bb00a297cc112c9887ada319f5605db89dbe82c9dbc
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 30B15672A0435AAFDB21CF24CC91BEEBBB9EF55310F144565E944AF2C2D2749E41CBA0

Function 00900D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00900D77
___except_validate_context_record.LIBVCRUNTIME ref: 00900D7F
_ValidateLocalCookies.LIBCMT ref: 00900E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00900E33
_ValidateLocalCookies.LIBCMT ref: 00900E88

Strings

csm, xrefs: 00900E1D

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 52c9e43093039ad1358eafc840774f661fdf4f0bc46be2dc6545abae9b8f82e1
Instruction ID: 3f49e2dc0c45b2a3e7bae46c96ed658072216eaefa44d7c02a16b987155a7746
Opcode Fuzzy Hash: 52c9e43093039ad1358eafc840774f661fdf4f0bc46be2dc6545abae9b8f82e1
Instruction Fuzzy Hash: 7641A234A002189FCF10EF68C884B9EBBB9AFC5324F148955E915AB3D2D731AE55CBD1

Function 00900080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00900086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00900094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 009000A5

Strings

kernel32.dll, xrefs: 00900081
GetTempPath2W, xrefs: 0090009A
GetSystemTimePreciseAsFileTime, xrefs: 0090008E

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: bc1725b7a5e40d99721956bcea43ef2f4ae6c176e4b62fbedc6e6b65b564a725
Instruction ID: f8726eb502ca2d032c9b8f7db11ca96ede9bb2a38bbcb9fb0a18e595c8f3b3c7
Opcode Fuzzy Hash: bc1725b7a5e40d99721956bcea43ef2f4ae6c176e4b62fbedc6e6b65b564a725
Instruction Fuzzy Hash: 84D05E71569220AB8330EF75BD098C93AA8FA493103018052F6C0D2658DA7445029B94

Function 00914F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1097f3183bd2cc4c523e8256aec489678cd6ab38d27cb0ba37076ab3e6ebdb
Instruction ID: b464175346f340219b985ccf5bbf3a30cd6a4992b93b30f903ea8685123bd98d
Opcode Fuzzy Hash: da1097f3183bd2cc4c523e8256aec489678cd6ab38d27cb0ba37076ab3e6ebdb
Instruction Fuzzy Hash: EEB10571F08A4DEFDB11DFA8C880BEDBBB5BF85310F164558E51197291C771A982CBA0

Function 008F9B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 008F9C97
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CA8
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CBC
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CDD
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CEE
std::_Throw_Cpp_error.LIBCPMT ref: 008F9D06

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: a0dbd129f582a0557311e93fffe2d4189d6a2f1838ba4133b5cb66ad45fc6347
Instruction ID: 671f5ce991fef30a78534387010911f40c06228192c61c810ed90f05a867b3e3
Opcode Fuzzy Hash: a0dbd129f582a0557311e93fffe2d4189d6a2f1838ba4133b5cb66ad45fc6347
Instruction Fuzzy Hash: 044191B1900748CBDB309B7889057BBB7F8FF45324F18062DD7AAA6292D7716504CB63

Function 0090ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0090ACDE,00900760,008FB77F,DD9B9B17,?,?,?,?,0091BFCA,000000FF), ref: 0090ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0090AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0090AD1C
SetLastError.KERNEL32(00000000,?,0090ACDE,00900760,008FB77F,DD9B9B17,?,?,?,?,0091BFCA,000000FF), ref: 0090AD6E

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c119039090e91350c5bf188d29d7a3aff942c5fa6dd145dd4f1f0b0fe758738c
Instruction ID: f2d025cb1cacd02c2fb39f792c1927a4ba2fcbd10e04f68e1a9eedd18d28b0e2
Opcode Fuzzy Hash: c119039090e91350c5bf188d29d7a3aff942c5fa6dd145dd4f1f0b0fe758738c
Instruction Fuzzy Hash: 7501D47371E719AEE73427747C85A663BC8EB81B79720032AF610555F0EF114C83B281

Function 0090B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0090B68D
CallUnexpected.LIBVCRUNTIME ref: 0090B906

Strings

csm, xrefs: 0090B618
csm, xrefs: 0090B5AB
csm, xrefs: 0090B6C4

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: e08575326807b21b0650117ca5307110ebbea025c6117cc1ca2b6fdec0461da9
Instruction ID: 90a8c5a003d29167b6cbfad08f3e3a3d2de3735e2b122fe2553b1f7c3b5c3b24
Opcode Fuzzy Hash: e08575326807b21b0650117ca5307110ebbea025c6117cc1ca2b6fdec0461da9
Instruction Fuzzy Hash: F3B1BF71800209EFCF14DFA4C881AAEBBB9FF94310F14855AF9156B292D732DA61CF91

Function 008FBE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 008FBF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 008FC028

Strings

csm, xrefs: 008FBEB7
MOC, xrefs: 008FBE9F
RCC, xrefs: 008FBEAB

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 71f0aa33524246ebb157a9c8fb8331a6a1429da762806465c8ece739df7c68b6
Instruction ID: 3e6431b0646f5c119b3cb8be4f7d0a8d986978b10288ea9335d0c1cb43106927
Opcode Fuzzy Hash: 71f0aa33524246ebb157a9c8fb8331a6a1429da762806465c8ece739df7c68b6
Instruction Fuzzy Hash: 4E418B74901209DFCB28DF78C945ABEB7B5FF88310B58806DE649E7652CB34AA05CB52

Function 009055C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,DD9B9B17,?,?,00000000,0091BE94,000000FF,?,00905685,00000002,?,00905721,00908396), ref: 009055F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0090560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,0091BE94,000000FF,?,00905685,00000002,?,00905721,00908396), ref: 0090562D

Strings

mscoree.dll, xrefs: 009055F2
CorExitProcess, xrefs: 00905603

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 90dea59d3c7fcd897bf2865d3c38ad05a94cd1ef6ac564368903c53b484bc831
Instruction ID: 05e7d1c3ed4cb8cc9a1edcfc5f1bf0d3e04039a2faf007143872c1a731e8622e
Opcode Fuzzy Hash: 90dea59d3c7fcd897bf2865d3c38ad05a94cd1ef6ac564368903c53b484bc831
Instruction Fuzzy Hash: 8E01D631A18A29EFCB21DF44DC09BAEB7BCFB44B25F010525F851A26D0DF759900DA90

Function 0090D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0090D76F
__alloca_probe_16.LIBCMT ref: 0090D838
__freea.LIBCMT ref: 0090D89F

Part of subcall function 0090BF11: RtlAllocateHeap.NTDLL(00000000,0090DF35,?,?,0090DF35,00000220,?,00000000,?), ref: 0090BF43

__freea.LIBCMT ref: 0090D8B2
__freea.LIBCMT ref: 0090D8BF

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: cd3344f992ac1d29bcbde665f26b9a63e47949d54bb22637c96db81181e069bb
Instruction ID: d9d3ae9a266a73b5b36ac9e57c7244684e2a879d60d26c5a6c630e54dc3cb1f6
Opcode Fuzzy Hash: cd3344f992ac1d29bcbde665f26b9a63e47949d54bb22637c96db81181e069bb
Instruction Fuzzy Hash: D251D67260120AAFEB215FE4CC85EBB7BAEEF84720F154529FE04D7291E774DC1096A0

Function 008FEFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008FF005
AcquireSRWLockExclusive.KERNEL32(008F8E38), ref: 008FF024
AcquireSRWLockExclusive.KERNEL32(008F8E38,008FA2F0,?), ref: 008FF052
TryAcquireSRWLockExclusive.KERNEL32(008F8E38,008FA2F0,?), ref: 008FF0AD
TryAcquireSRWLockExclusive.KERNEL32(008F8E38,008FA2F0,?), ref: 008FF0C4

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 4016f5318bc8a8c99e718a53e888b5a8f70740f866f9f13340c90105cd3d1a13
Instruction ID: faa6f324c91ffb7a0cf34d0addb0a6ed91390e500890065fcf7d759b3cfe6a82
Opcode Fuzzy Hash: 4016f5318bc8a8c99e718a53e888b5a8f70740f866f9f13340c90105cd3d1a13
Instruction Fuzzy Hash: 7C412271A00A0EDBCB21DF75C8819BAB3A4FF84315B20493AE756D7A52DB30E985CB51

Function 008F3C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F3CA5
std::_Lockit::_Lockit.LIBCPMT ref: 008F3CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 008F3CE0
__Getctype.LIBCPMT ref: 008F3D92
std::_Lockit::~_Lockit.LIBCPMT ref: 008F3DD8

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 12effaa251f6319bf76a5185fa8f3e53022ad04b124ceae72ae7495491d9d8ef
Instruction ID: 2da72acc5d44320d6982027795b46ac596702f8a8d332ad03a6477c53214737c
Opcode Fuzzy Hash: 12effaa251f6319bf76a5185fa8f3e53022ad04b124ceae72ae7495491d9d8ef
Instruction Fuzzy Hash: D4416FB1E006188FCB24DFA8D844BAEB7B5FF44720F148129D919AB391DB34AE45CF91

Function 008FD4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FD4C9
std::_Lockit::_Lockit.LIBCPMT ref: 008FD4D3
int.LIBCPMT ref: 008FD4EA

Part of subcall function 008FC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 008FC1F6
Part of subcall function 008FC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 008FC210

codecvt.LIBCPMT ref: 008FD50D
std::_Lockit::~_Lockit.LIBCPMT ref: 008FD544

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: b183de73ff24b7f68c68c8db03be86011fc23c0f55ac0dc4c99967749dcae9e9
Instruction ID: 1803a62d0d98b117cd210bd9c2a9f227864cad8baea41d606f02ddd57f6ab00c
Opcode Fuzzy Hash: b183de73ff24b7f68c68c8db03be86011fc23c0f55ac0dc4c99967749dcae9e9
Instruction Fuzzy Hash: 8101C47190021D9BCB05EB78C915ABD77B6FF88724F144409E715EB282CF749E41CB82

Function 008FADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FADDE
std::_Lockit::_Lockit.LIBCPMT ref: 008FADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 008FAE57

Part of subcall function 008FACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008FACC2

std::locale::_Setgloballocale.LIBCPMT ref: 008FAE04
_Yarn.LIBCPMT ref: 008FAE1A

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 004cf5bc334f6396f5c59ce255d6464c8c8e1f2ba53a3858e8e1b854140d82c6
Instruction ID: 1abef790b4ddf9005b628c410cf91969271474b6b5c60b58f06f4815d71f6baf
Opcode Fuzzy Hash: 004cf5bc334f6396f5c59ce255d6464c8c8e1f2ba53a3858e8e1b854140d82c6
Instruction Fuzzy Hash: 120171B96102299BCB09FB34D85557D7BA5FF84760B144019EA0997381CF346E82DB93

Function 008FB755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 008FB809

Strings

MOC, xrefs: 008FB789
RCC, xrefs: 008FB795
csm, xrefs: 008FB7A1

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: cbd712ad72a7cacec553039d77afec0920a2fab4359c5b40318e428a37c6a363
Instruction ID: b69ea07f22a3ea20ec2933616d66257786a7d4805962b565e793931928053c20
Opcode Fuzzy Hash: cbd712ad72a7cacec553039d77afec0920a2fab4359c5b40318e428a37c6a363
Instruction Fuzzy Hash: 9221223591020DDFCF24AFB8C841B7AB3ACFF843A1F14456EE611D7690DB34AA40CA91

Function 00916940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,009169DC,00000000,?,0092D2B0,?,?,?,00916913,00000004,InitializeCriticalSectionEx,00920D34,00920D3C), ref: 0091694D
GetLastError.KERNEL32(?,009169DC,00000000,?,0092D2B0,?,?,?,00916913,00000004,InitializeCriticalSectionEx,00920D34,00920D3C,00000000,?,0090BBBC), ref: 00916957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0091697F

Strings

api-ms-, xrefs: 00916964

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e8a0bc856e62501eb4d231e6ce7695554b0b6f866f8650eb7db8af534c6963b0
Instruction ID: 3a74f38dec320ceacace9d39d2a69d908584be307cdabbccec09beb4c76e1270
Opcode Fuzzy Hash: e8a0bc856e62501eb4d231e6ce7695554b0b6f866f8650eb7db8af534c6963b0
Instruction Fuzzy Hash: A0E0123179424CB7DF201B61EC06BAC3A5D9B40B55F140420F94CA88E0DB71EC95A944

Function 00913F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(DD9B9B17,00000000,00000000,?), ref: 00914001

Part of subcall function 0090C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0090D895,?,00000000,-00000008), ref: 0090C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00914253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00914299
GetLastError.KERNEL32 ref: 0091433C

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 80bc99980421db42aaa24b0eb40c11c31ce81b959a49ed6a6a3107a41ae28158
Instruction ID: ef9b6817cab12d26b780097bf41bf5a31a2b5c8990a2cf4d5ac40d79be737254
Opcode Fuzzy Hash: 80bc99980421db42aaa24b0eb40c11c31ce81b959a49ed6a6a3107a41ae28158
Instruction Fuzzy Hash: CAD18C75E042489FCF15CFE9C880AEDBBB9FF49314F28452AE565EB351D630A982CB50

Function 0090B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0090B35C
___AdjustPointer.LIBCMT ref: 0090B37F
___AdjustPointer.LIBCMT ref: 0090B41B

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b4e24bf457f3fe700ccee24aa57e787f1b179e0bf02b70ab8e5c0762d583649b
Instruction ID: 0a93c516f4593334a81c3655afa7718cde1fbb6aecaaf925b4b561a1811a2e7c
Opcode Fuzzy Hash: b4e24bf457f3fe700ccee24aa57e787f1b179e0bf02b70ab8e5c0762d583649b
Instruction Fuzzy Hash: 2051F371606206DFDB299F64C891BBA77A8EF40710F24442DF916972E1E731ED80CB90

Function 008F7220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008F72C5
std::_Throw_Cpp_error.LIBCPMT ref: 008F7395
std::_Throw_Cpp_error.LIBCPMT ref: 008F73A3
std::_Throw_Cpp_error.LIBCPMT ref: 008F73B1

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 962151d34f8fc45084b394faad4465fe4036c7e1dad113fa8f989a50e5c454c5
Instruction ID: 1d3f4d19a121ddcd0eb659dbe1413d581fe897bfb19b393e1c3c79b48d34555b
Opcode Fuzzy Hash: 962151d34f8fc45084b394faad4465fe4036c7e1dad113fa8f989a50e5c454c5
Instruction Fuzzy Hash: 0641D2B190430D9BEB20AB38C841B7AB7A5FF44320F544639DA5AC7791EB34E815CB92

Function 008F4460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F4495
std::_Lockit::_Lockit.LIBCPMT ref: 008F44B2
std::_Lockit::~_Lockit.LIBCPMT ref: 008F44D3
std::_Lockit::~_Lockit.LIBCPMT ref: 008F4580

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 0fb1022caccb8cac05c49ce4f1f3909e055007771b019e8d4815b57ca4a1226a
Instruction ID: 17003ca69027beca40ad885f7930cad6d046bb11c1e0fae4fb16e885eb117c7d
Opcode Fuzzy Hash: 0fb1022caccb8cac05c49ce4f1f3909e055007771b019e8d4815b57ca4a1226a
Instruction Fuzzy Hash: 41415EB1D002198FCB24EFA8D844BAEBBB4FB48720F14426AE915A7351D734AD45CFA1

Function 00911DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0090C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0090D895,?,00000000,-00000008), ref: 0090C082

GetLastError.KERNEL32 ref: 00911E2A
__dosmaperr.LIBCMT ref: 00911E31
GetLastError.KERNEL32 ref: 00911E6B
__dosmaperr.LIBCMT ref: 00911E72

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 386a271fe94c7779a4e044a32202328ad45b5015319e6b09ca290791be710a3a
Instruction ID: 042b5a7071399bc08bab0e0e85cf87fd361d6a74e0b2f18024f90252564d5a12
Opcode Fuzzy Hash: 386a271fe94c7779a4e044a32202328ad45b5015319e6b09ca290791be710a3a
Instruction Fuzzy Hash: 7321C271B04619BFDB20AFE5D880AABB7ADFF403647108519FE59D7191DB30EC908BA0

Function 00902BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a894f0f07a9ffe61d5909e055122a8e5f541c0155b1504041bcf02fa508b2b1
Instruction ID: a0b76d66bd86edef4a836d8f3b78cc69758c43bc4e80360f13ea04c73e78a65e
Opcode Fuzzy Hash: 0a894f0f07a9ffe61d5909e055122a8e5f541c0155b1504041bcf02fa508b2b1
Instruction Fuzzy Hash: D321D471604225AFEF20AF758C88A6EB7ADFF913647104564F895D71D0EB30EC40C7A0

Function 009131BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009131C6

Part of subcall function 0090C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0090D895,?,00000000,-00000008), ref: 0090C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009131FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091321E

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 1abd1a97a2eb12f75e0a7f70bc0b39ced682320dfbadfcb582f83b409d6a8446
Instruction ID: ac6082aa7e696e392f2b97f1782bdd57bc56ed2d90c46ba0aaf896957c6ae86d
Opcode Fuzzy Hash: 1abd1a97a2eb12f75e0a7f70bc0b39ced682320dfbadfcb582f83b409d6a8446
Instruction Fuzzy Hash: A11100B1600119BEEB2237B29C8ADFF6A7CDEC53943104824FA1192140FF74DF4181B0

Function 008FE892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FE899
std::_Lockit::_Lockit.LIBCPMT ref: 008FE8A3
int.LIBCPMT ref: 008FE8BA

Part of subcall function 008FC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 008FC1F6
Part of subcall function 008FC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 008FC210

std::_Lockit::~_Lockit.LIBCPMT ref: 008FE914

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 4eb4973cfc52f549bc29783112492bd1814cf738d2e6a902c920a7bc53989125
Instruction ID: 0cf368d775ce82b96f91d1746b3bfa8428e4132dd381b0250160062d5bbe004e
Opcode Fuzzy Hash: 4eb4973cfc52f549bc29783112492bd1814cf738d2e6a902c920a7bc53989125
Instruction Fuzzy Hash: F611CE7590421D9BCB15EBB8C945ABDBBA1FF80720F240019E615EB292CF74AA41CB92

Function 0091ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000), ref: 0091ADB7
GetLastError.KERNEL32(?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000,?,?,?,00913CD6,00000000), ref: 0091ADC3

Part of subcall function 0091AE20: CloseHandle.KERNEL32(FFFFFFFE,0091ADD3,?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000,?,?), ref: 0091AE30

___initconout.LIBCMT ref: 0091ADD3

Part of subcall function 0091ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0091AD91,0091A2DC,?,?,00914390,?,00000000,00000000,?), ref: 0091AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000,?), ref: 0091ADE8

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e3a8bf496cb385b035d86b9f3d5dd75ef5edca0f8be9dfd451b96e1a00d8a4cc
Instruction ID: 094696a9d62ab14631a33c7ad8891d73c52ec2c0d0f4c7269e63d2ce0f80f328
Opcode Fuzzy Hash: e3a8bf496cb385b035d86b9f3d5dd75ef5edca0f8be9dfd451b96e1a00d8a4cc
Instruction Fuzzy Hash: 4AF0123661511CBBCF322FD5EC049DA3F26FF44771B004011FA1885560DB328CA1AB91

Function 009004F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00900507
GetCurrentThreadId.KERNEL32 ref: 00900516
GetCurrentProcessId.KERNEL32 ref: 0090051F
QueryPerformanceCounter.KERNEL32(?), ref: 0090052C

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 03ab38908b8aa7ac18f5987d2c9f907e6fed8a6d6fe5fdba427e2cda9aeffe95
Instruction ID: 26a71a12d1c5f9be2226352edfdb8580705e9ed54c35b7c577455a3b8e25b6c9
Opcode Fuzzy Hash: 03ab38908b8aa7ac18f5987d2c9f907e6fed8a6d6fe5fdba427e2cda9aeffe95
Instruction Fuzzy Hash: BAF0B270D1420CEBCB00EFB4DA4898EBBF4FF1C200B918995E412E7510EB30AB45DB50

Function 00910976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(?,?,00905495,00928E38,0000000C), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000), ref: 0090C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00905BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00910A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00905BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00910A6C

Strings

utf8, xrefs: 00910B3E

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 892e7edb161e355ea55479cee2b1d877ca3d667af961e0ed1e6c3e3dfc86de26
Instruction ID: da8b2441dbb5b794e8c4fb509a1cfc3bbfb61f2e6b24e629be45612df6262174
Opcode Fuzzy Hash: 892e7edb161e355ea55479cee2b1d877ca3d667af961e0ed1e6c3e3dfc86de26
Instruction Fuzzy Hash: 9C51B571B4830DAADB24AB318C46FE672ACEFC5704F144829F55997181F6F2E9C08765

Function 008F73E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 008F7526
___std_exception_copy.LIBVCRUNTIME ref: 008F7561

Part of subcall function 008FAF37: CreateThreadpoolWork.KERNEL32(008FB060,008F8A2A,00000000), ref: 008FAF46
Part of subcall function 008FAF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 008FAF53

Strings

Fail to schedule the chore!, xrefs: 008F7551, 008F7560

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: 1a5c25d33ff9f97c3a8457b4b276400cadd1760a320f40af2005549e0bea65a6
Instruction ID: 177807aaff5054f348152fce3af5d824a61809cb412814941670a1a1b5d02904
Opcode Fuzzy Hash: 1a5c25d33ff9f97c3a8457b4b276400cadd1760a320f40af2005549e0bea65a6
Instruction Fuzzy Hash: D751CAB090120CDFDB14EFA4D844BAEBBB0FF48324F144129E919AB391E775AA05CF91

Function 0090B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0090B893,?,?,00000000,00000000,00000000,?), ref: 0090B9B7

Strings

RCC, xrefs: 0090B9D1
MOC, xrefs: 0090B9C9

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: a12b436756f8f29cf3af3a4b5bf72cd1ed7c3d77cd7f9dc5c5c01a3f11b3fc18
Instruction ID: f575dbe1dfb20f0be786c0f8b718bfff1929874d1e7563037151bdbb610bf1d4
Opcode Fuzzy Hash: a12b436756f8f29cf3af3a4b5bf72cd1ed7c3d77cd7f9dc5c5c01a3f11b3fc18
Instruction Fuzzy Hash: 26416C72A00209AFCF15DF94CC81BEEBBB9FF88304F198159FA14A7292D3359950DB51

Function 008F3E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F3EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 008F4002

Part of subcall function 008FABC5: _Yarn.LIBCPMT ref: 008FABE5
Part of subcall function 008FABC5: _Yarn.LIBCPMT ref: 008FAC09

Strings

bad locale name, xrefs: 008F3F46

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: 807c061304391fa6f62a268de02963d6449d668303f020e010c7bd41157543d9
Instruction ID: 647d57b4e847cc5df3fcf7833195d857b8bc5310d8eafd39a3b554643a50a777
Opcode Fuzzy Hash: 807c061304391fa6f62a268de02963d6449d668303f020e010c7bd41157543d9
Instruction Fuzzy Hash: 5B414BF0A006459BEB10DF69D805B27BAF8BF44714F044628E5099B781E77AE518CBE2

Function 0090B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0090B475

Strings

csm, xrefs: 0090B497
csm, xrefs: 0090B508

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: f8a99782d7d6da2c3733c687eec505bf683a9bebb09f36d6926909d1b8d86b93
Instruction ID: 0dc16ecae0b653857bdaf5ecc9c98a00b0ba2359c55ea55ba7b5bc21cf5b8bba
Opcode Fuzzy Hash: f8a99782d7d6da2c3733c687eec505bf683a9bebb09f36d6926909d1b8d86b93
Instruction Fuzzy Hash: 5F313872400219EFCF229F50CC40DAA7B6AFF08714B18869AFD440A1B2C336DEA1DF81

Function 008FB831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 008FB8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 008FB8DE

Part of subcall function 0090060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,008FF354,03364388,?,?,?,008FF354,008F3D4A,0092759C,008F3D4A), ref: 0090066D

Part of subcall function 00908353: IsProcessorFeaturePresent.KERNEL32(00000017,0090C224), ref: 0090836F

Strings

csm, xrefs: 008FB86D

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: f94040fee9736f85a165057473be72ad39961928bf12fa94673c035ab60d6063
Instruction ID: 4cdcab4e29c5f140f4fbf429bea862225e1217f5ac13ee1a4659ad09f47b7b21
Opcode Fuzzy Hash: f94040fee9736f85a165057473be72ad39961928bf12fa94673c035ab60d6063
Instruction Fuzzy Hash: C3212531E1021CABCF249EA9D845ABEB7B9FF84790F140429E605EB650DB70AD55CB81

Function 008FB46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 008F2673

Strings

ios_base::badbit set, xrefs: 008F2650
bad array new length, xrefs: 008F2626

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 85db5336e5241b10bcc758a820b391658b38c26244f8765b464e3a56966ba790
Instruction ID: 30bbf98837ec5c0c99e07ee69f579dda4d76e198925dc459ab99c5a8b4b376f6
Opcode Fuzzy Hash: 85db5336e5241b10bcc758a820b391658b38c26244f8765b464e3a56966ba790
Instruction Fuzzy Hash: 6A01B1F1609304ABDB14DF28D845B6ABBE4EF48318F01891CF459DB341D379E844CB81

Function 008F2610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0090060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,008FF354,03364388,?,?,?,008FF354,008F3D4A,0092759C,008F3D4A), ref: 0090066D

___std_exception_copy.LIBVCRUNTIME ref: 008F2673

Strings

ios_base::badbit set, xrefs: 008F2650
bad array new length, xrefs: 008F2626

Memory Dump Source

Source File: 00000000.00000002.1700924417.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000000.00000002.1700909927.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700952219.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700968641.000000000092A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701029429.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701075424.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701095358.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1701132144.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: d15e9112bc7a4ddcf55a02ad05084c14b4ac2ae40c090be57f1ac226632b81d5
Instruction ID: f6c927f74419173a3d5e3329d9a6dbb797d10628dbd931ecb3d8c2f6c2daa33e
Opcode Fuzzy Hash: d15e9112bc7a4ddcf55a02ad05084c14b4ac2ae40c090be57f1ac226632b81d5
Instruction Fuzzy Hash: 0BF01CF1A19310ABD710AF18DC45757BBE4EB89718F018D1CF5989B340D3B5D448CB92

Analysis Process: Aura.exePID: 6952, Parent PID: 6788COMMON

Non-executed Functions

Function 00911A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,009113BD,00000002,00000000,?,?,?,009113BD,?,00000000), ref: 00911AA0
GetLocaleInfoW.KERNEL32(?,20001004,009113BD,00000002,00000000,?,?,?,009113BD,?,00000000), ref: 00911AC9
GetACP.KERNEL32(?,?,009113BD,?,00000000), ref: 00911ADE

Strings

ACP, xrefs: 00911A25
OCP, xrefs: 00911A5B

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 635bf4b9d357963a46273597a4ff4242ac25af6b112b1cfaa925193029080e77
Instruction ID: 64f9743a0c5002336b99dd9c990e4bd890239da408030f28490820ca1e4abce4
Opcode Fuzzy Hash: 635bf4b9d357963a46273597a4ff4242ac25af6b112b1cfaa925193029080e77
Instruction Fuzzy Hash: 43219532B06108BADB34DF64CA00AD77BAEEF54B54B968465EB0AD7204E732DDC1C350

Function 008F1FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008F1240: _strlen.LIBCMT ref: 008F12BA

GetFileSize.KERNEL32(00000000,00000000), ref: 008F2046
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008F206B
CloseHandle.KERNEL32(00000000), ref: 008F207A
_strlen.LIBCMT ref: 008F20CD
CloseHandle.KERNEL32(00000000), ref: 008F21FD

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: CloseFileHandle_strlen$ReadSize
String ID:
API String ID: 1490117831-0
Opcode ID: 7b04cb933bd7d05fb34c50157b3bc13348dab95309b0068df1192b524dfb6953
Instruction ID: 87a790d16f9c4921a2ab58c38188dbc5348704e308093cb64900f04a3f945059
Opcode Fuzzy Hash: 7b04cb933bd7d05fb34c50157b3bc13348dab95309b0068df1192b524dfb6953
Instruction Fuzzy Hash: 5E71C1B2C002189BCB10DFB8DC45BAEBBB5FF48324F140628E914E7391E735A945CBA1

Function 00911287 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(00000000,?,0090E58D), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00908363), ref: 0090C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0091138F
IsValidCodePage.KERNEL32(00000000), ref: 009113CD
IsValidLocale.KERNEL32(?,00000001), ref: 009113E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00911428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00911443

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 70c6e5340ca46f160d06b40bd28027af66b2b87d2f7d23848eb85a669ce26f1f
Instruction ID: c427d3f5156eda74f36c0349d8d98eed842afa83dc9b1755df9d50bc5521c5c8
Opcode Fuzzy Hash: 70c6e5340ca46f160d06b40bd28027af66b2b87d2f7d23848eb85a669ce26f1f
Instruction Fuzzy Hash: 84515B71B0021EBBEB20EFA5CC45AFE77B8AF44B00F444529EA15E7194E7709A81CB61

Function 00909CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: 13bff2ff999995c6441d1f252a9ee51b9b77f4d1641298ac2ee19dc4ed27f125
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 9B022B71E012199FDF14CFA9C9807AEBBB5FF89314F248269E515E7381D731AD418B90

Function 00911FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009120D9

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 73f26fc9b776820c5c5eae20ffd4914fe16453a4aad7d7e9aef496648c9c9aed
Instruction ID: b1ec93051af643584407a9da008cf38c108671feb328d1dc7c20522833b47cc6
Opcode Fuzzy Hash: 73f26fc9b776820c5c5eae20ffd4914fe16453a4aad7d7e9aef496648c9c9aed
Instruction Fuzzy Hash: 1771F0B1A0511CAEDF25EF28CC89AFEB7B8AB49300F1442D9E158A3251DB304ED59F10

Function 008FF8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 008FF8F5
IsDebuggerPresent.KERNEL32 ref: 008FF9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008FF9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 008FF9E4

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 82e87e58fe44afc6382f85bd52c8e5ed147c11cfd64e897ab3c020a17023eb15
Instruction ID: ac58ad54114cfc7f6d6f1a7d6e7ec7a39e484c25dcea4323aadfa68d35e92897
Opcode Fuzzy Hash: 82e87e58fe44afc6382f85bd52c8e5ed147c11cfd64e897ab3c020a17023eb15
Instruction Fuzzy Hash: 923103B5D0521CAADB21DFA4DD497CDBBB8BF08300F1041AAE50CAB290EB719A85CF45

Function 0091AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,0091AACD,?,?,?,?,?,?,?,?,?,?), ref: 0091AB88
__alloca_probe_16.LIBCMT ref: 0091AC43
__alloca_probe_16.LIBCMT ref: 0091ACD2
__freea.LIBCMT ref: 0091AD1D
__freea.LIBCMT ref: 0091AD23
__freea.LIBCMT ref: 0091AD59
__freea.LIBCMT ref: 0091AD5F
__freea.LIBCMT ref: 0091AD6F

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: d785608b846e440d33e0d1b7647915fcc366a9f5c79c0dcc9d316c3318f37a76
Instruction ID: 0c905d0636f393a4f62851c4f836dda9d82e30a45721eb405c7c7033a980a467
Opcode Fuzzy Hash: d785608b846e440d33e0d1b7647915fcc366a9f5c79c0dcc9d316c3318f37a76
Instruction Fuzzy Hash: D9710376B0564E9FDF219EA49C41FEF77AAEF45310F290455EA04A7292E7348C808792

Function 008FFE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 008FFE70
__alloca_probe_16.LIBCMT ref: 008FFE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 008FFEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008FFEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008FFF37
__alloca_probe_16.LIBCMT ref: 008FFF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 008FFF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 008FFFB9

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 8cce2f90b7b7e4d5fdbc970675b596361427ce8bdecac0434b8cae1a571bf29f
Instruction ID: 283d13e0ee36e1b47f552b51a3080704289aaaee2edb23713a1781a5aa7fbe01
Opcode Fuzzy Hash: 8cce2f90b7b7e4d5fdbc970675b596361427ce8bdecac0434b8cae1a571bf29f
Instruction Fuzzy Hash: 7451797260021EAFEB205F74CC45FBA7AA9FF41754F254439FB14EA1A2EF708D119A60

Function 0090EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0090EEFC

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: 35de1921084bfa8adb079bb00a297cc112c9887ada319f5605db89dbe82c9dbc
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: 30B15672A0435AAFDB21CF24CC91BEEBBB9EF55310F144565E944AF2C2D2749E41CBA0

Function 00900D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00900D77
___except_validate_context_record.LIBVCRUNTIME ref: 00900D7F
_ValidateLocalCookies.LIBCMT ref: 00900E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00900E33
_ValidateLocalCookies.LIBCMT ref: 00900E88

Strings

csm, xrefs: 00900E1D

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bb7c1f6f1e5175bbfac14a43a75774fa4cbc150a61a20d1d353d982be6e2f277
Instruction ID: 3f49e2dc0c45b2a3e7bae46c96ed658072216eaefa44d7c02a16b987155a7746
Opcode Fuzzy Hash: bb7c1f6f1e5175bbfac14a43a75774fa4cbc150a61a20d1d353d982be6e2f277
Instruction Fuzzy Hash: 7641A234A002189FCF10EF68C884B9EBBB9AFC5324F148955E915AB3D2D731AE55CBD1

Function 008F24B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 008F24DD
ShowWindow.USER32(00000000,00000000), ref: 008F24E6
GetCurrentThreadId.KERNEL32 ref: 008F2524

Part of subcall function 008FF11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,008F253A,?,?,00000000), ref: 008FF129
Part of subcall function 008FF11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,008F253A,?,?,00000000), ref: 008FF142
Part of subcall function 008FF11D: CloseHandle.KERNEL32(?,?,?,008F253A,?,?,00000000), ref: 008FF154

std::_Throw_Cpp_error.LIBCPMT ref: 008F2567
std::_Throw_Cpp_error.LIBCPMT ref: 008F2578
std::_Throw_Cpp_error.LIBCPMT ref: 008F2589
std::_Throw_Cpp_error.LIBCPMT ref: 008F259A

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: d2ed180a804d4aa86a2b2b8923e476676f10e0b879bc1153b061cb3e78d543d4
Instruction ID: 60d56eb7fa701a5131df057c5a35c4a559d0238a9b04bbcaf9db935ad581eef8
Opcode Fuzzy Hash: d2ed180a804d4aa86a2b2b8923e476676f10e0b879bc1153b061cb3e78d543d4
Instruction Fuzzy Hash: 842167F1D4021D9BDF50AFB4DC06BAE7AB4FF04710F180125F708B6281E7B5A514CAA6

Function 0090CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,0090D01A,008F1170,008FAA08,?,?), ref: 0090CFCC

Strings

ext-ms-, xrefs: 0090CF76
api-ms-, xrefs: 0090CF62

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 0b0602c0055b580114544af68d54f01807215103e307e3d575991412f6bd672c
Instruction ID: 5b8ce6770818b78070694d811cd15896cb214432413cecf4700ca5be81cc417a
Opcode Fuzzy Hash: 0b0602c0055b580114544af68d54f01807215103e307e3d575991412f6bd672c
Instruction Fuzzy Hash: 552157B1B56312AFC731AB65EC40A5A7B6EDB81760F240311FB45A72D0DB70ED01D6D1

Function 00900080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00900086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00900094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 009000A5

Strings

GetTempPath2W, xrefs: 0090009A
GetSystemTimePreciseAsFileTime, xrefs: 0090008E
kernel32.dll, xrefs: 00900081

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: bc1725b7a5e40d99721956bcea43ef2f4ae6c176e4b62fbedc6e6b65b564a725
Instruction ID: f8726eb502ca2d032c9b8f7db11ca96ede9bb2a38bbcb9fb0a18e595c8f3b3c7
Opcode Fuzzy Hash: bc1725b7a5e40d99721956bcea43ef2f4ae6c176e4b62fbedc6e6b65b564a725
Instruction Fuzzy Hash: 84D05E71569220AB8330EF75BD098C93AA8FA493103018052F6C0D2658DA7445029B94

Function 00914F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcd7ff8e170c26517aa4fd548610a56ef5f29fd7e09aea97b27db71cee4abbd
Instruction ID: b464175346f340219b985ccf5bbf3a30cd6a4992b93b30f903ea8685123bd98d
Opcode Fuzzy Hash: 6dcd7ff8e170c26517aa4fd548610a56ef5f29fd7e09aea97b27db71cee4abbd
Instruction Fuzzy Hash: EEB10571F08A4DEFDB11DFA8C880BEDBBB5BF85310F164558E51197291C771A982CBA0

Function 008F9B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 008F9C97
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CA8
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CBC
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CDD
std::_Throw_Cpp_error.LIBCPMT ref: 008F9CEE
std::_Throw_Cpp_error.LIBCPMT ref: 008F9D06

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: a0dbd129f582a0557311e93fffe2d4189d6a2f1838ba4133b5cb66ad45fc6347
Instruction ID: 671f5ce991fef30a78534387010911f40c06228192c61c810ed90f05a867b3e3
Opcode Fuzzy Hash: a0dbd129f582a0557311e93fffe2d4189d6a2f1838ba4133b5cb66ad45fc6347
Instruction Fuzzy Hash: 044191B1900748CBDB309B7889057BBB7F8FF45324F18062DD7AAA6292D7716504CB63

Function 0090ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0090ACDE,00900760,008FB77F,BB40E64E,?,?,?,?,0091BFCA,000000FF), ref: 0090ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0090AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0090AD1C
SetLastError.KERNEL32(00000000,?,0090ACDE,00900760,008FB77F,BB40E64E,?,?,?,?,0091BFCA,000000FF), ref: 0090AD6E

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8dd748b8c12351c432c39223e34da57616e7b5a745bfcbfa33a422a87a994511
Instruction ID: f2d025cb1cacd02c2fb39f792c1927a4ba2fcbd10e04f68e1a9eedd18d28b0e2
Opcode Fuzzy Hash: 8dd748b8c12351c432c39223e34da57616e7b5a745bfcbfa33a422a87a994511
Instruction Fuzzy Hash: 7501D47371E719AEE73427747C85A663BC8EB81B79720032AF610555F0EF114C83B281

Function 0090B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0090B68D
CallUnexpected.LIBVCRUNTIME ref: 0090B906

Strings

csm, xrefs: 0090B5AB
csm, xrefs: 0090B6C4
csm, xrefs: 0090B618

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: b7f5b3e1d71497d952811528e8c030434f26840a218aad86b3b3e48bbadcf699
Instruction ID: 90a8c5a003d29167b6cbfad08f3e3a3d2de3735e2b122fe2553b1f7c3b5c3b24
Opcode Fuzzy Hash: b7f5b3e1d71497d952811528e8c030434f26840a218aad86b3b3e48bbadcf699
Instruction Fuzzy Hash: F3B1BF71800209EFCF14DFA4C881AAEBBB9FF94310F14855AF9156B292D732DA61CF91

Function 008FBE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 008FBF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 008FC028

Strings

csm, xrefs: 008FBEB7
RCC, xrefs: 008FBEAB
MOC, xrefs: 008FBE9F

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 6836c38522efc63664f07ce24787a740edbe7904cce45f828873f9a8d9957eb6
Instruction ID: 3e6431b0646f5c119b3cb8be4f7d0a8d986978b10288ea9335d0c1cb43106927
Opcode Fuzzy Hash: 6836c38522efc63664f07ce24787a740edbe7904cce45f828873f9a8d9957eb6
Instruction Fuzzy Hash: 4E418B74901209DFCB28DF78C945ABEB7B5FF88310B58806DE649E7652CB34AA05CB52

Function 009055C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,0091BE94,000000FF,?,00905685,0090556C,?,00905721,00000000), ref: 009055F9
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,0091BE94,000000FF,?,00905685,0090556C,?,00905721,00000000), ref: 0090560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,0091BE94,000000FF,?,00905685,0090556C,?,00905721,00000000), ref: 0090562D

Strings

mscoree.dll, xrefs: 009055F2
CorExitProcess, xrefs: 00905603

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 90dea59d3c7fcd897bf2865d3c38ad05a94cd1ef6ac564368903c53b484bc831
Instruction ID: 05e7d1c3ed4cb8cc9a1edcfc5f1bf0d3e04039a2faf007143872c1a731e8622e
Opcode Fuzzy Hash: 90dea59d3c7fcd897bf2865d3c38ad05a94cd1ef6ac564368903c53b484bc831
Instruction Fuzzy Hash: 8E01D631A18A29EFCB21DF44DC09BAEB7BCFB44B25F010525F851A26D0DF759900DA90

Function 0090D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0090D76F
__alloca_probe_16.LIBCMT ref: 0090D838
__freea.LIBCMT ref: 0090D89F

Part of subcall function 0090BF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,008FA67D,00000018,?,008F3D4A,00000018,00000000), ref: 0090BF43

__freea.LIBCMT ref: 0090D8B2
__freea.LIBCMT ref: 0090D8BF

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: cd3344f992ac1d29bcbde665f26b9a63e47949d54bb22637c96db81181e069bb
Instruction ID: d9d3ae9a266a73b5b36ac9e57c7244684e2a879d60d26c5a6c630e54dc3cb1f6
Opcode Fuzzy Hash: cd3344f992ac1d29bcbde665f26b9a63e47949d54bb22637c96db81181e069bb
Instruction Fuzzy Hash: D251D67260120AAFEB215FE4CC85EBB7BAEEF84720F154529FE04D7291E774DC1096A0

Function 008FEFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,008FEFCE,008F8E30,00000000,?,008F8E30,008FA2F0), ref: 008FF005
AcquireSRWLockExclusive.KERNEL32(008F8E38), ref: 008FF024
AcquireSRWLockExclusive.KERNEL32(008F8E38,008FA2F0,?), ref: 008FF052
TryAcquireSRWLockExclusive.KERNEL32(008F8E38,008FA2F0,?), ref: 008FF0AD
TryAcquireSRWLockExclusive.KERNEL32(008F8E38,008FA2F0,?), ref: 008FF0C4

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 4016f5318bc8a8c99e718a53e888b5a8f70740f866f9f13340c90105cd3d1a13
Instruction ID: faa6f324c91ffb7a0cf34d0addb0a6ed91390e500890065fcf7d759b3cfe6a82
Opcode Fuzzy Hash: 4016f5318bc8a8c99e718a53e888b5a8f70740f866f9f13340c90105cd3d1a13
Instruction Fuzzy Hash: 7C412271A00A0EDBCB21DF75C8819BAB3A4FF84315B20493AE756D7A52DB30E985CB51

Function 008F3C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F3CA5
std::_Lockit::_Lockit.LIBCPMT ref: 008F3CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 008F3CE0
__Getctype.LIBCPMT ref: 008F3D92
std::_Lockit::~_Lockit.LIBCPMT ref: 008F3DD8

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 287f0d6d8943088b7bbd0ef68537d682e8177b78c7f4e0ca395730cc44da0f3d
Instruction ID: 2da72acc5d44320d6982027795b46ac596702f8a8d332ad03a6477c53214737c
Opcode Fuzzy Hash: 287f0d6d8943088b7bbd0ef68537d682e8177b78c7f4e0ca395730cc44da0f3d
Instruction Fuzzy Hash: D4416FB1E006188FCB24DFA8D844BAEB7B5FF44720F148129D919AB391DB34AE45CF91

Function 008FD4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FD4C9
std::_Lockit::_Lockit.LIBCPMT ref: 008FD4D3
int.LIBCPMT ref: 008FD4EA

Part of subcall function 008FC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 008FC1F6
Part of subcall function 008FC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 008FC210

codecvt.LIBCPMT ref: 008FD50D
std::_Lockit::~_Lockit.LIBCPMT ref: 008FD544

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: b183de73ff24b7f68c68c8db03be86011fc23c0f55ac0dc4c99967749dcae9e9
Instruction ID: 1803a62d0d98b117cd210bd9c2a9f227864cad8baea41d606f02ddd57f6ab00c
Opcode Fuzzy Hash: b183de73ff24b7f68c68c8db03be86011fc23c0f55ac0dc4c99967749dcae9e9
Instruction Fuzzy Hash: 8101C47190021D9BCB05EB78C915ABD77B6FF88724F144409E715EB282CF749E41CB82

Function 008FADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FADDE
std::_Lockit::_Lockit.LIBCPMT ref: 008FADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 008FAE57

Part of subcall function 008FACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008FACC2

std::locale::_Setgloballocale.LIBCPMT ref: 008FAE04
_Yarn.LIBCPMT ref: 008FAE1A

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 004cf5bc334f6396f5c59ce255d6464c8c8e1f2ba53a3858e8e1b854140d82c6
Instruction ID: 1abef790b4ddf9005b628c410cf91969271474b6b5c60b58f06f4815d71f6baf
Opcode Fuzzy Hash: 004cf5bc334f6396f5c59ce255d6464c8c8e1f2ba53a3858e8e1b854140d82c6
Instruction Fuzzy Hash: 120171B96102299BCB09FB34D85557D7BA5FF84760B144019EA0997381CF346E82DB93

Function 008F1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 008F1783

Strings

ios_base::badbit set, xrefs: 008F1BFA, 008F1C20
ios_base::eofbit set, xrefs: 008F1BEA
ios_base::failbit set, xrefs: 008F1BEF

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: a471d6db9145f49595e996af98fa91c821b28282c80490c42c5a370be90c6fa8
Instruction ID: e260882cdc1ec1a7c41f205ee954be2c2bcc80ef2ce42368813a3b3b768b2817
Opcode Fuzzy Hash: a471d6db9145f49595e996af98fa91c821b28282c80490c42c5a370be90c6fa8
Instruction Fuzzy Hash: 48F14975A00218CFCF14DF68C498AADBBB1FF88324F194269E915AB391D774AD41CB90

Function 008FB755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 008FB809

Strings

RCC, xrefs: 008FB795
csm, xrefs: 008FB7A1
MOC, xrefs: 008FB789

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: cbd712ad72a7cacec553039d77afec0920a2fab4359c5b40318e428a37c6a363
Instruction ID: b69ea07f22a3ea20ec2933616d66257786a7d4805962b565e793931928053c20
Opcode Fuzzy Hash: cbd712ad72a7cacec553039d77afec0920a2fab4359c5b40318e428a37c6a363
Instruction Fuzzy Hash: 9221223591020DDFCF24AFB8C841B7AB3ACFF843A1F14456EE611D7690DB34AA40CA91

Function 00916940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,009169DC,00000000,?,0092D2B0,?,?,?,00916913,00000004,InitializeCriticalSectionEx,00920D34,00920D3C), ref: 0091694D
GetLastError.KERNEL32(?,009169DC,00000000,?,0092D2B0,?,?,?,00916913,00000004,InitializeCriticalSectionEx,00920D34,00920D3C,00000000,?,0090BBBC), ref: 00916957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0091697F

Strings

api-ms-, xrefs: 00916964

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e8a0bc856e62501eb4d231e6ce7695554b0b6f866f8650eb7db8af534c6963b0
Instruction ID: 3a74f38dec320ceacace9d39d2a69d908584be307cdabbccec09beb4c76e1270
Opcode Fuzzy Hash: e8a0bc856e62501eb4d231e6ce7695554b0b6f866f8650eb7db8af534c6963b0
Instruction Fuzzy Hash: A0E0123179424CB7DF201B61EC06BAC3A5D9B40B55F140420F94CA88E0DB71EC95A944

Function 00913F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00914001

Part of subcall function 0090C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0090D895,?,00000000,-00000008), ref: 0090C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00914253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00914299
GetLastError.KERNEL32 ref: 0091433C

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 80bc99980421db42aaa24b0eb40c11c31ce81b959a49ed6a6a3107a41ae28158
Instruction ID: ef9b6817cab12d26b780097bf41bf5a31a2b5c8990a2cf4d5ac40d79be737254
Opcode Fuzzy Hash: 80bc99980421db42aaa24b0eb40c11c31ce81b959a49ed6a6a3107a41ae28158
Instruction Fuzzy Hash: CAD18C75E042489FCF15CFE9C880AEDBBB9FF49314F28452AE565EB351D630A982CB50

Function 0090B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0090B35C
___AdjustPointer.LIBCMT ref: 0090B37F
___AdjustPointer.LIBCMT ref: 0090B41B

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: a89f43f6b4560054616170b266b093520bb1db5708b629a666ef3c93f03a3a02
Instruction ID: 0a93c516f4593334a81c3655afa7718cde1fbb6aecaaf925b4b561a1811a2e7c
Opcode Fuzzy Hash: a89f43f6b4560054616170b266b093520bb1db5708b629a666ef3c93f03a3a02
Instruction Fuzzy Hash: 2051F371606206DFDB299F64C891BBA77A8EF40710F24442DF916972E1E731ED80CB90

Function 008F7220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008F72C5
std::_Throw_Cpp_error.LIBCPMT ref: 008F7395
std::_Throw_Cpp_error.LIBCPMT ref: 008F73A3
std::_Throw_Cpp_error.LIBCPMT ref: 008F73B1

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 962151d34f8fc45084b394faad4465fe4036c7e1dad113fa8f989a50e5c454c5
Instruction ID: 1d3f4d19a121ddcd0eb659dbe1413d581fe897bfb19b393e1c3c79b48d34555b
Opcode Fuzzy Hash: 962151d34f8fc45084b394faad4465fe4036c7e1dad113fa8f989a50e5c454c5
Instruction Fuzzy Hash: 0641D2B190430D9BEB20AB38C841B7AB7A5FF44320F544639DA5AC7791EB34E815CB92

Function 008F4460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F4495
std::_Lockit::_Lockit.LIBCPMT ref: 008F44B2
std::_Lockit::~_Lockit.LIBCPMT ref: 008F44D3
std::_Lockit::~_Lockit.LIBCPMT ref: 008F4580

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 0fb1022caccb8cac05c49ce4f1f3909e055007771b019e8d4815b57ca4a1226a
Instruction ID: 17003ca69027beca40ad885f7930cad6d046bb11c1e0fae4fb16e885eb117c7d
Opcode Fuzzy Hash: 0fb1022caccb8cac05c49ce4f1f3909e055007771b019e8d4815b57ca4a1226a
Instruction Fuzzy Hash: 41415EB1D002198FCB24EFA8D844BAEBBB4FB48720F14426AE915A7351D734AD45CFA1

Function 00911DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0090C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0090D895,?,00000000,-00000008), ref: 0090C082

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00911E2A
__dosmaperr.LIBCMT ref: 00911E31
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00911E6B
__dosmaperr.LIBCMT ref: 00911E72

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 1f4b4bb928fa7065e5bc62e4c8c02893d503f3584172dc59a211aba345fc7100
Instruction ID: 042b5a7071399bc08bab0e0e85cf87fd361d6a74e0b2f18024f90252564d5a12
Opcode Fuzzy Hash: 1f4b4bb928fa7065e5bc62e4c8c02893d503f3584172dc59a211aba345fc7100
Instruction Fuzzy Hash: 7321C271B04619BFDB20AFE5D880AABB7ADFF403647108519FE59D7191DB30EC908BA0

Function 00902BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3de55f77c4357e4a07bcb1856f57d5612353c054d676ff20a59102fa8cfcd5
Instruction ID: a0b76d66bd86edef4a836d8f3b78cc69758c43bc4e80360f13ea04c73e78a65e
Opcode Fuzzy Hash: 2a3de55f77c4357e4a07bcb1856f57d5612353c054d676ff20a59102fa8cfcd5
Instruction Fuzzy Hash: D321D471604225AFEF20AF758C88A6EB7ADFF913647104564F895D71D0EB30EC40C7A0

Function 009131BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 009131C6

Part of subcall function 0090C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0090D895,?,00000000,-00000008), ref: 0090C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009131FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091321E

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 7c09887fbdc63a5fe7c1d6f100910c50cba68bb9264408ba812a8117ccc22400
Instruction ID: ac6082aa7e696e392f2b97f1782bdd57bc56ed2d90c46ba0aaf896957c6ae86d
Opcode Fuzzy Hash: 7c09887fbdc63a5fe7c1d6f100910c50cba68bb9264408ba812a8117ccc22400
Instruction Fuzzy Hash: A11100B1600119BEEB2237B29C8ADFF6A7CDEC53943104824FA1192140FF74DF4181B0

Function 008FE892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FE899
std::_Lockit::_Lockit.LIBCPMT ref: 008FE8A3
int.LIBCPMT ref: 008FE8BA

Part of subcall function 008FC1E5: std::_Lockit::_Lockit.LIBCPMT ref: 008FC1F6
Part of subcall function 008FC1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 008FC210

std::_Lockit::~_Lockit.LIBCPMT ref: 008FE914

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 4eb4973cfc52f549bc29783112492bd1814cf738d2e6a902c920a7bc53989125
Instruction ID: 0cf368d775ce82b96f91d1746b3bfa8428e4132dd381b0250160062d5bbe004e
Opcode Fuzzy Hash: 4eb4973cfc52f549bc29783112492bd1814cf738d2e6a902c920a7bc53989125
Instruction Fuzzy Hash: F611CE7590421D9BCB15EBB8C945ABDBBA1FF80720F240019E615EB292CF74AA41CB92

Function 0091ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000), ref: 0091ADB7
GetLastError.KERNEL32(?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000,?,?,?,00913CD6,00000000), ref: 0091ADC3

Part of subcall function 0091AE20: CloseHandle.KERNEL32(FFFFFFFE,0091ADD3,?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000,?,?), ref: 0091AE30

___initconout.LIBCMT ref: 0091ADD3

Part of subcall function 0091ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0091AD91,0091A2DC,?,?,00914390,?,00000000,00000000,?), ref: 0091AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,0091A2EF,00000000,00000001,00000000,?,?,00914390,?,00000000,00000000,?), ref: 0091ADE8

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e3a8bf496cb385b035d86b9f3d5dd75ef5edca0f8be9dfd451b96e1a00d8a4cc
Instruction ID: 094696a9d62ab14631a33c7ad8891d73c52ec2c0d0f4c7269e63d2ce0f80f328
Opcode Fuzzy Hash: e3a8bf496cb385b035d86b9f3d5dd75ef5edca0f8be9dfd451b96e1a00d8a4cc
Instruction Fuzzy Hash: 4AF0123661511CBBCF322FD5EC049DA3F26FF44771B004011FA1885560DB328CA1AB91

Function 009004F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00900507
GetCurrentThreadId.KERNEL32 ref: 00900516
GetCurrentProcessId.KERNEL32 ref: 0090051F
QueryPerformanceCounter.KERNEL32(?), ref: 0090052C

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 03ab38908b8aa7ac18f5987d2c9f907e6fed8a6d6fe5fdba427e2cda9aeffe95
Instruction ID: 26a71a12d1c5f9be2226352edfdb8580705e9ed54c35b7c577455a3b8e25b6c9
Opcode Fuzzy Hash: 03ab38908b8aa7ac18f5987d2c9f907e6fed8a6d6fe5fdba427e2cda9aeffe95
Instruction Fuzzy Hash: BAF0B270D1420CEBCB00EFB4DA4898EBBF4FF1C200B918995E412E7510EB30AB45DB50

Function 00910976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 0090C16A: GetLastError.KERNEL32(00000000,?,0090E58D), ref: 0090C16E
Part of subcall function 0090C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00908363), ref: 0090C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00905BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00910A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00905BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00910A6C

Strings

utf8, xrefs: 00910B3E

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 9e99091e623536c808881756a5159a752a562f1fa2ca1865a9d810ba9371f043
Instruction ID: da8b2441dbb5b794e8c4fb509a1cfc3bbfb61f2e6b24e629be45612df6262174
Opcode Fuzzy Hash: 9e99091e623536c808881756a5159a752a562f1fa2ca1865a9d810ba9371f043
Instruction Fuzzy Hash: 9C51B571B4830DAADB24AB318C46FE672ACEFC5704F144829F55997181F6F2E9C08765

Function 008F73E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 008F7526
___std_exception_copy.LIBVCRUNTIME ref: 008F7561

Part of subcall function 008FAF37: CreateThreadpoolWork.KERNEL32(008FB060,008F8A2A,00000000,00000000,?,008F8A2A,?,?,?,?), ref: 008FAF46
Part of subcall function 008FAF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 008FAF53

Strings

Fail to schedule the chore!, xrefs: 008F7551, 008F7560

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: 70bf51daa9268c72bc632d740acdc818a3b2870fb004db358781b7899e48776c
Instruction ID: 177807aaff5054f348152fce3af5d824a61809cb412814941670a1a1b5d02904
Opcode Fuzzy Hash: 70bf51daa9268c72bc632d740acdc818a3b2870fb004db358781b7899e48776c
Instruction Fuzzy Hash: D751CAB090120CDFDB14EFA4D844BAEBBB0FF48324F144129E919AB391E775AA05CF91

Function 0090B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0090B893,?,?,00000000,00000000,00000000,?), ref: 0090B9B7

Strings

MOC, xrefs: 0090B9C9
RCC, xrefs: 0090B9D1

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 84f5a546536fab9ea13dd1da39a9beaaa46ce80551bb36eb1f5a205496823260
Instruction ID: f575dbe1dfb20f0be786c0f8b718bfff1929874d1e7563037151bdbb610bf1d4
Opcode Fuzzy Hash: 84f5a546536fab9ea13dd1da39a9beaaa46ce80551bb36eb1f5a205496823260
Instruction Fuzzy Hash: 26416C72A00209AFCF15DF94CC81BEEBBB9FF88304F198159FA14A7292D3359950DB51

Function 008F3E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008F3EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 008F4002

Part of subcall function 008FABC5: _Yarn.LIBCPMT ref: 008FABE5
Part of subcall function 008FABC5: _Yarn.LIBCPMT ref: 008FAC09

Strings

bad locale name, xrefs: 008F3F46

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: 6b931bef9e1039220aecb62c9c20d330d3df0fadb05bc22588010f2d13d01a6f
Instruction ID: 647d57b4e847cc5df3fcf7833195d857b8bc5310d8eafd39a3b554643a50a777
Opcode Fuzzy Hash: 6b931bef9e1039220aecb62c9c20d330d3df0fadb05bc22588010f2d13d01a6f
Instruction Fuzzy Hash: 5B414BF0A006459BEB10DF69D805B27BAF8BF44714F044628E5099B781E77AE518CBE2

Function 0090B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0090B475

Strings

csm, xrefs: 0090B497
csm, xrefs: 0090B508

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 2ed1f0bbce40eb098e16b68840b9ac8483310ab92c4df65e716e8acdf0f3c871
Instruction ID: 0dc16ecae0b653857bdaf5ecc9c98a00b0ba2359c55ea55ba7b5bc21cf5b8bba
Opcode Fuzzy Hash: 2ed1f0bbce40eb098e16b68840b9ac8483310ab92c4df65e716e8acdf0f3c871
Instruction Fuzzy Hash: 5F313872400219EFCF229F50CC40DAA7B6AFF08714B18869AFD440A1B2C336DEA1DF81

Function 008FB831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 008FB8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 008FB8DE

Part of subcall function 0090060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,008FF354,00000000,?,?,?,008FF354,008F3D4A,0092759C,008F3D4A), ref: 0090066D

Part of subcall function 00908353: IsProcessorFeaturePresent.KERNEL32(00000017,0090378B,?,?,?,?,00000000,?,?,?,008FB5AC,008FB4E0,00000000,?,?,008FB4E0), ref: 0090836F

Strings

csm, xrefs: 008FB86D

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: c6fb77c1a77ec014cf734f5354a860555f262b33ee7764ad13d84563298fdc05
Instruction ID: 4cdcab4e29c5f140f4fbf429bea862225e1217f5ac13ee1a4659ad09f47b7b21
Opcode Fuzzy Hash: c6fb77c1a77ec014cf734f5354a860555f262b33ee7764ad13d84563298fdc05
Instruction Fuzzy Hash: C3212531E1021CABCF249EA9D845ABEB7B9FF84790F140429E605EB650DB70AD55CB81

Function 008FB46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 008F2673

Strings

ios_base::badbit set, xrefs: 008F2650
bad array new length, xrefs: 008F2626

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 7cc0e12b27a9fa3d9b33d1679087642b03f60061b7044c987a5e946bc091d955
Instruction ID: 30bbf98837ec5c0c99e07ee69f579dda4d76e198925dc459ab99c5a8b4b376f6
Opcode Fuzzy Hash: 7cc0e12b27a9fa3d9b33d1679087642b03f60061b7044c987a5e946bc091d955
Instruction Fuzzy Hash: 6A01B1F1609304ABDB14DF28D845B6ABBE4EF48318F01891CF459DB341D379E844CB81

Function 008F2610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0090060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,008FF354,00000000,?,?,?,008FF354,008F3D4A,0092759C,008F3D4A), ref: 0090066D

___std_exception_copy.LIBVCRUNTIME ref: 008F2673

Strings

ios_base::badbit set, xrefs: 008F2650
bad array new length, xrefs: 008F2626

Memory Dump Source

Source File: 00000002.00000002.1700673808.00000000008F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000002.00000002.1700656726.00000000008F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700698227.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700718925.000000000092A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700739783.000000000092F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700759374.0000000000932000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1700801282.000000000097E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8f0000_Aura.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: d15e9112bc7a4ddcf55a02ad05084c14b4ac2ae40c090be57f1ac226632b81d5
Instruction ID: f6c927f74419173a3d5e3329d9a6dbb797d10628dbd931ecb3d8c2f6c2daa33e
Opcode Fuzzy Hash: d15e9112bc7a4ddcf55a02ad05084c14b4ac2ae40c090be57f1ac226632b81d5
Instruction Fuzzy Hash: 0BF01CF1A19310ABD710AF18DC45757BBE4EB89718F018D1CF5989B340D3B5D448CB92

Analysis Process: Aura.exePID: 6988, Parent PID: 6788COMMON

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	68
Total number of Limit Nodes:	7

Executed Functions

Function 00408680 Relevance: 7.7, APIs: 5, Instructions: 249
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004086A4
GetCurrentThreadId.KERNEL32 ref: 004086AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000,?), ref: 004087DD
GetForegroundWindow.USER32 ref: 004088A1

Part of subcall function 0040C830: CoInitializeEx.OLE32(00000000,00000002), ref: 0040C843

Part of subcall function 0040B720: FreeLibrary.KERNEL32(00408978), ref: 0040B726
Part of subcall function 0040B720: FreeLibrary.KERNEL32 ref: 0040B747

ExitProcess.KERNEL32 ref: 00408991

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: e843ce397e95a7a4f9e2afb866568efc9843b9a29ca9dad48084fef23a3395c2
Instruction ID: 719c045ee3bb05490b25d200acc1df5498f9a5c5afb4084d0d06abb797ad2041
Opcode Fuzzy Hash: e843ce397e95a7a4f9e2afb866568efc9843b9a29ca9dad48084fef23a3395c2
Instruction Fuzzy Hash: 57713B77A047144FD318EF69CD5632BB6D6ABC8310F09C53EA8C5EB391EA789C018789

Function 0040B11D Relevance: 4.2, Strings: 3, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#\, xrefs: 0040B1CC
^\, xrefs: 0040B1D3
_Y, xrefs: 0040B147

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: #\$^\$_Y
API String ID: 0-1775706250
Opcode ID: 1c254cbc2ea113dba85d633fbd872cadb1710f13e14ff148a90661bb3d6fd125
Instruction ID: 64828c1c663671413410b9e3e71a9c3a4536903c3cbe0315ba33c507ed14c13b
Opcode Fuzzy Hash: 1c254cbc2ea113dba85d633fbd872cadb1710f13e14ff148a90661bb3d6fd125
Instruction Fuzzy Hash: 36F170B9204B02DFD3248F25D891B56FBB1FF8A314F11862DD45A9B7A0D734A862CF94

Function 0043CFA0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(004401FA,?,00000018,?,?,00000018,?,?,?), ref: 0043CFCE

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043D929 Relevance: 1.4, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D]+\, xrefs: 0043D990

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: D]+\
API String ID: 2994545307-1174097187
Opcode ID: 2cfa3c311a0e9c01cd225743fa52a5313a8d1775c02606c88f75f1f7f84942d4
Instruction ID: 7572c7809211613d87147b95baac5cf25656afb3abccc1c11bb3482e60d05e20
Opcode Fuzzy Hash: 2cfa3c311a0e9c01cd225743fa52a5313a8d1775c02606c88f75f1f7f84942d4
Instruction Fuzzy Hash: 0321F579B0C3458FD754AF55E88013F77A3ABCA310F28A52ED9C243356C6745C069A1A

Function 0043D357 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e537460dccc4a7b7ef12968f72ed291eab62e9864d205944ff9e0a6744b74f2
Instruction ID: 40e1c0e03dd7cb4f9cd5c8cc5c1a6d528c3109dc285a0f6b12963c487ef0f2fc
Opcode Fuzzy Hash: 1e537460dccc4a7b7ef12968f72ed291eab62e9864d205944ff9e0a6744b74f2
Instruction Fuzzy Hash: FE110479A092448FD7089F14E89053F77A2EB8A314F28A43EDA83C3351CB709C159A0A

Function 00435ED4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00435EFD

Strings

G, xrefs: 00435F1A
F, xrefs: 00435F16
A, xrefs: 00435F12

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: A$F$G
API String ID: 95929093-3785783914
Opcode ID: 63f7d250430c684fa06de44afb9861202c016e2409db28788b3215d73582899f
Instruction ID: d25d89b923c4efa808e0dea8fd42158e08fc3be147d6bfd14b539fb1b57ef5f4
Opcode Fuzzy Hash: 63f7d250430c684fa06de44afb9861202c016e2409db28788b3215d73582899f
Instruction Fuzzy Hash: BC11E374A046808FCB09CB78C8917ED7FF26F5E310F1841ADD98AA73D1EA394941CB29

Function 00409BEC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 00409CC8

Strings

@4C, xrefs: 00409C91

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: LibraryLoad
String ID: @4C
API String ID: 1029625771-2729656245
Opcode ID: be34798907d0c0e48b961aaf20c694c46cc9c752a02d3d3cd553411d0cde06da
Instruction ID: ed32fe20f9c2acc6b9e53cce2f2001b642a3f1e2c48bd5ab92002aa4c3cc17ee
Opcode Fuzzy Hash: be34798907d0c0e48b961aaf20c694c46cc9c752a02d3d3cd553411d0cde06da
Instruction Fuzzy Hash: 3C31DFB5E043148FDB04CFA9C98169EBBF1BF5A300F0A81AAD4407B366C7745909CBD5

Function 0043D1AA Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043D1AA
GetForegroundWindow.USER32 ref: 0043D1C0

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c4e5699213e8c8392b4d3a6b569e32cded55f0697a2c8afc432cfcaf34d365f3
Instruction ID: 3dbaf8c9d4b4cdac177c22d0d0fe4f5d6608661041d7d8772ec8f984dcac4e78
Opcode Fuzzy Hash: c4e5699213e8c8392b4d3a6b569e32cded55f0697a2c8afc432cfcaf34d365f3
Instruction Fuzzy Hash: ADD027FDD5310057C94C5B31ED1E41F36119B9B355714443DF40342372CD594807C54A

Function 0043CF20 Relevance: 1.5, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B481,00000000,?), ref: 0043CF52

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7f3820e98a24e56921eea2794d8514486a620388b301369882b321bfb5007782
Instruction ID: c4c6d5ac5a7046e1c04a2e0ad53a0c9e2ada00cb9aac4fe49d4db54e1692947d
Opcode Fuzzy Hash: 7f3820e98a24e56921eea2794d8514486a620388b301369882b321bfb5007782
Instruction Fuzzy Hash: 2EF0E976509211DBD2102F357C02B6B3664EF9B314F05183AF90162262DB38D401C6DF

Function 0043B4A0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0040AF96,?), ref: 0043B4BE

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 429c131509c383a8080d6349d90cad9e8071549669016c5803abf4d1718e22ef
Instruction ID: 58de357fc96c06f87596776b9ae076427f094bf4a21e5fbafae531d5480062ca
Opcode Fuzzy Hash: 429c131509c383a8080d6349d90cad9e8071549669016c5803abf4d1718e22ef
Instruction Fuzzy Hash: 1AD0127140A922EBC7101F15FC07B9A3A64EF09761F070865F4406B0B1C634DC51DAD8

Function 0043B47F Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043B489

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e101f999de7608f65741e262228b5bb0f7081bf9408d8d083b24d78faad8d434
Instruction ID: 74af769b7eed74eb0bbf98d3c0715bab597ac674c92011b1c0092895a3fe5e5d
Opcode Fuzzy Hash: e101f999de7608f65741e262228b5bb0f7081bf9408d8d083b24d78faad8d434
Instruction Fuzzy Hash: 4CB00274156515B9E17127115CD5F7F1D6CDF47ED5F100058B204140D04E545401D57E

Function 0043B485 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043B489

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e673e6dd3fec5261cced75f808d9bb89ecabcd96bcb259183d1e251c2252e486
Instruction ID: 1c973efff51b4848ffeff69cb2d809a45373ecc0414c0770032ce1ef959c8293
Opcode Fuzzy Hash: e673e6dd3fec5261cced75f808d9bb89ecabcd96bcb259183d1e251c2252e486
Instruction Fuzzy Hash: 0DA00274156511F9D16127115C95F7F2968AB47A95F100068A204140A04E645001D56E

Non-executed Functions

Function 004382F0 Relevance: 21.7, APIs: 10, Strings: 2, Instructions: 675memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C), ref: 004385B2
SysAllocString.OLEAUT32(0000AA09), ref: 00438617
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438654
SysAllocString.OLEAUT32(0000AA09), ref: 00438697
SysAllocString.OLEAUT32(0000AA09), ref: 00438744
VariantInit.OLEAUT32( )*+), ref: 004387AF
VariantClear.OLEAUT32(?), ref: 00438919
SysFreeString.OLEAUT32(?), ref: 0043893D
SysFreeString.OLEAUT32(?), ref: 00438943
SysFreeString.OLEAUT32(00000000), ref: 00438954

Strings

\]^_, xrefs: 00438A1F
)*+, xrefs: 0043833E

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: )*+$\]^_
API String ID: 2485776651-2322973909
Opcode ID: ad9a5df13a79529466875a2391a2d9c4f178ea59c0f8a74a64ccf3bd56a8d54e
Instruction ID: 2e71509d261cad856181e072583a0b97192b489e60390a5bbc3d405ab7213408
Opcode Fuzzy Hash: ad9a5df13a79529466875a2391a2d9c4f178ea59c0f8a74a64ccf3bd56a8d54e
Instruction Fuzzy Hash: 0712FEB6A083009BE314DF25C88176BBBE1EFC9314F14592EF5D49B391DB78D8068B96

Function 00415729 Relevance: 17.4, Strings: 13, Instructions: 1182COMMON

Download Yara Rule

Strings

'+5>, xrefs: 00415C64
L4, xrefs: 00416020
>"0, xrefs: 00415C7A
L4, xrefs: 004163F0
$aA, xrefs: 0041611E
7\A, xrefs: 00415C31
MfA, xrefs: 00416646
kjih, xrefs: 004160D6
~t~{, xrefs: 004159DC
2)!*, xrefs: 00415C6F
41##, xrefs: 00415C85
kjih, xrefs: 004157AC
nVA, xrefs: 00415D9D

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: $aA$'+5>$2)!*$41##$7\A$>"0$MfA$kjih$kjih$~t~{$nVA$L4$L4
API String ID: 0-705411989
Opcode ID: a038ddd7a4fba88be4bd41d0b89a0969865ad0c869122aac13da161970b1766d
Instruction ID: 51b238df478912f03407f53bcd861463622d7a63e5711f880fdd80badda0364d
Opcode Fuzzy Hash: a038ddd7a4fba88be4bd41d0b89a0969865ad0c869122aac13da161970b1766d
Instruction Fuzzy Hash: 32823475609242CFD724CF24D8817AFB7E2EBC5314F19893EE48987392D7389845CB8A

Function 00419BE0 Relevance: 15.3, APIs: 2, Strings: 6, Instructions: 1330COMMON

Download Yara Rule

APIs

Part of subcall function 0043CFA0: LdrInitializeThunk.NTDLL(004401FA,?,00000018,?,?,00000018,?,?,?), ref: 0043CFCE

FreeLibrary.KERNEL32(?), ref: 0041A22A
FreeLibrary.KERNEL32(?), ref: 0041A2AB

Strings

kjih, xrefs: 0041A14D
kjih, xrefs: 0041AA66
pq, xrefs: 00419F80
fI.K, xrefs: 00419F70
M"O, xrefs: 00419F78
kjih, xrefs: 00419C33

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: M"O$fI.K$kjih$kjih$kjih$pq
API String ID: 764372645-57064758
Opcode ID: ca8ec4aa3c6a2665215101971d6ba1bdbaeb8bf3706cfe3159db190018bb5402
Instruction ID: fd54df58326f29ab5dcbf35c0345235bb947318f3f37ecb71676f87aa7f67674
Opcode Fuzzy Hash: ca8ec4aa3c6a2665215101971d6ba1bdbaeb8bf3706cfe3159db190018bb5402
Instruction Fuzzy Hash: 469269756093405FE7108F54D8807BBBBE2EBD5720F28C82EE5C497391D6799C82CB9A

Function 00424200 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 231COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 004242DA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,-71D32B14), ref: 00424355

Strings

WQ, xrefs: 00424252
7KE, xrefs: 0042422A
_Y, xrefs: 00424242
@AF, xrefs: 00424399
.sM, xrefs: 0042421A
RDB, xrefs: 00424448

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: .sM$7KE$RDB$@AF$WQ$_Y
API String ID: 237503144-2889437315
Opcode ID: fd78b8c373c58d299f0efd85543560d449a9ccfd47c3bf4ca4055bad2ee08b59
Instruction ID: 85809d692e9afabcf63d0d0bcf8913d9c1483266ef3a87abd0c9896b8c6eff8a
Opcode Fuzzy Hash: fd78b8c373c58d299f0efd85543560d449a9ccfd47c3bf4ca4055bad2ee08b59
Instruction Fuzzy Hash: D58102B52083509FE710CF28E84175FBBE0FB86718F11883DF5959B281D775890A8B9B

Function 00415C3B Relevance: 11.9, Strings: 9, Instructions: 665COMMON

Download Yara Rule

Strings

'+5>, xrefs: 00415C64
MfA, xrefs: 00416646
L4, xrefs: 00416020
>"0, xrefs: 00415C7A
kjih, xrefs: 00416003
2)!*, xrefs: 00415C6F
41##, xrefs: 00415C85
nVA, xrefs: 00415D9D
L4, xrefs: 004163F0

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: '+5>$2)!*$41##$>"0$MfA$kjih$nVA$L4$L4
API String ID: 0-3043129773
Opcode ID: ea301c221e4f7209e4005bd83a573e57ebd9b891a4b9fdff834431d860e3db60
Instruction ID: fcf332fa4094b6d4c8e6d19021d207cb0fce23afcc655588a84ff703f5482b79
Opcode Fuzzy Hash: ea301c221e4f7209e4005bd83a573e57ebd9b891a4b9fdff834431d860e3db60
Instruction Fuzzy Hash: CE224676A09252CFD724CF28C8507AFB7E2ABC5304F1A893ED49997351DA38DC45CB86

Function 004092A0 Relevance: 10.4, Strings: 8, Instructions: 369COMMON

Download Yara Rule

Strings

fJG], xrefs: 004092D5
\EEZ, xrefs: 004092ED
SZVm, xrefs: 004092DD
Xjbn, xrefs: 00409406
v, xrefs: 004092F5
KJ, xrefs: 00409460
S_SY, xrefs: 004093F6
I3_1, xrefs: 004093DE

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: I3_1$KJ$SZVm$S_SY$Xjbn$\EEZ$fJG]$v
API String ID: 0-857426366
Opcode ID: 83eb09dffcbbdc965478d9f71f007973de22261fc9de05b1123d5afc216dca86
Instruction ID: f42e5032e00e911cfcbd82df24bde4ae6fb01620b43778d51bef518939847aa5
Opcode Fuzzy Hash: 83eb09dffcbbdc965478d9f71f007973de22261fc9de05b1123d5afc216dca86
Instruction Fuzzy Hash: 72B1D47160C3914AD726CF2988503ABBFE19F97344F0899ADE4D5AB383C23DC906C756

Function 00432C00 Relevance: 9.2, APIs: 6, Instructions: 157clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00432C22
GetClipboardData.USER32 ref: 00432C43
GlobalLock.KERNEL32 ref: 00432C60
CloseClipboard.USER32 ref: 00432DE1

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID:
API String ID: 1494355150-0
Opcode ID: 38ddb1ce13d4ad96419e6f72ad5d578662d1422aa4eeb45f494bb9f640afa450
Instruction ID: 4b4268758659fb9edbbb30050a8655cc6678ffe48e55207d2636374afee827fe
Opcode Fuzzy Hash: 38ddb1ce13d4ad96419e6f72ad5d578662d1422aa4eeb45f494bb9f640afa450
Instruction Fuzzy Hash: 505127B1904B518FD700AF78C94939EBFE0AF09314F04863AD49597281D3BC9959C797

Function 0042B3C0 Relevance: 7.7, Strings: 6, Instructions: 234COMMON

Download Yara Rule

Strings

LL[R, xrefs: 0042B4CC
Pk, xrefs: 0042B5A8
', xrefs: 0042B452
t, xrefs: 0042B5B2
UgRQ, xrefs: 0042B587
CJMx, xrefs: 0042B4C1

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: '$CJMx$LL[R$Pk$UgRQ$t
API String ID: 0-841269659
Opcode ID: ad6ac4a83ce9c7b2206c5238d969d6c841d12ab1a149e2618a8805dbebfd9730
Instruction ID: a27ab65c82591e32e6bf893d3bde866ba41d28cee15bcb772b57012cf8e8fd86
Opcode Fuzzy Hash: ad6ac4a83ce9c7b2206c5238d969d6c841d12ab1a149e2618a8805dbebfd9730
Instruction Fuzzy Hash: 7B81CEB460D3918BD3358F29A5A13EBBFE1EF96300F18495DD4D94B392C739840A8B97

Function 00426E50 Relevance: 6.8, Strings: 5, Instructions: 600COMMON

Download Yara Rule

Strings

r?, xrefs: 00426E6A
:8!v, xrefs: 00426F4D
}, xrefs: 004274B0
0pB, xrefs: 00427372
?ohm, xrefs: 00427400

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: 0pB$:8!v$?ohm$r?$}
API String ID: 0-2715177541
Opcode ID: 749cc9b2b166e2aefd78e54216929a7a1d54e2de09e8ea6fbb84eebd505d5f3a
Instruction ID: 27fefe2fbb4672028c34b568132a3d04d557551c2bb752c391d38c84f1a92060
Opcode Fuzzy Hash: 749cc9b2b166e2aefd78e54216929a7a1d54e2de09e8ea6fbb84eebd505d5f3a
Instruction Fuzzy Hash: 621266B2A183918BD714CF29D85126BB7E1EFD6304F09896EE8D5C7382D739D805CB86

Function 0041C051 Relevance: 6.7, Strings: 5, Instructions: 455COMMON

Download Yara Rule

Strings

%xy~, xrefs: 0041C3AF
.L!r, xrefs: 0041C39A
tz, xrefs: 0041C3A8
E], xrefs: 0041C152
E], xrefs: 0041C3F2

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: %xy~$.L!r$E]$E]$tz
API String ID: 0-4134713695
Opcode ID: 8be511cfeaf7478c689c94cf0d6a1a9b7ea702216c27cb980bac304771c85408
Instruction ID: 893324274ff4417acd688581e0214f6c4df399dd6a88d7d17f1ef9b959fda1b6
Opcode Fuzzy Hash: 8be511cfeaf7478c689c94cf0d6a1a9b7ea702216c27cb980bac304771c85408
Instruction Fuzzy Hash: E2D1DFB0940B019FC320DF39C992663BFB1FF16300B54866DD4D68B755E338A459CBA6

Function 0041C980 Relevance: 5.7, Strings: 4, Instructions: 683COMMON

Download Yara Rule

Strings

A~, xrefs: 0041CA76
&', xrefs: 0041CCF4
5F&D, xrefs: 0041CA66
Q3O-, xrefs: 0041CCDC

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: &'$5F&D$A~$Q3O-
API String ID: 0-675504753
Opcode ID: 812f62e87a523b56efcce59179e77158da321b0c9cf250dad7521a95bb97face
Instruction ID: 633e36ed10f3989885d87796e4429ae6f20bcc81ed0b5666aa2646e33d91a16f
Opcode Fuzzy Hash: 812f62e87a523b56efcce59179e77158da321b0c9cf250dad7521a95bb97face
Instruction Fuzzy Hash: 702211B2A4C3108FD714DF69CC916AFB7E2EFD5314F09892DE4C59B341E63889458B8A

Function 00423D78 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 321COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00423F0C

Strings

74, xrefs: 0042411C
t@, xrefs: 00423FDB

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: DrivesLogical
String ID: 74$t@
API String ID: 999431828-3855452393
Opcode ID: e6493996eb5fd517559c0d72a5a97f6fc41877c730dd7ed30f2c307e77615d90
Instruction ID: d8fda7944a744acaf0d178b2b36fa13dc41ebd5ea8d3209462f2d5dd7201e77a
Opcode Fuzzy Hash: e6493996eb5fd517559c0d72a5a97f6fc41877c730dd7ed30f2c307e77615d90
Instruction Fuzzy Hash: 12B197B5608380CFD310CF58D98122BBBE1EBC6704F55892DEAC59B321D7799946CB8B

Function 00424460 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

@AF, xrefs: 00424399
RDB, xrefs: 00424448

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: RDB$@AF
API String ID: 0-293929955
Opcode ID: f15f5163eaab6831977543f007d43be88b34e39f7c2b7db232dd98a3b66f87d2
Instruction ID: 8e72b51382bd84331a0b3652428f3f841449d97c4acde29aa1b9e14835349b3b
Opcode Fuzzy Hash: f15f5163eaab6831977543f007d43be88b34e39f7c2b7db232dd98a3b66f87d2
Instruction Fuzzy Hash: 876111B16083409FE724CF29EC41BDBB7E4EB86308F01883DF6899B281D77595058B9B

Function 004096A0 Relevance: 5.4, Strings: 4, Instructions: 391COMMON

Download Yara Rule

Strings

_[G], xrefs: 00409768, 00409840
y{, xrefs: 0040991F
_[G], xrefs: 004098F5
,-, xrefs: 004099C7

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: ,-$_[G]$_[G]$y{
API String ID: 0-1845238737
Opcode ID: 9edd87a1e525675c0c32356b88bb5c69c29a2f3fa61c5e596b79bb2793044053
Instruction ID: 6c32fc5b9f6112090130227e0787eee7bd849e3471c3c2ea16adaf94930d4e34
Opcode Fuzzy Hash: 9edd87a1e525675c0c32356b88bb5c69c29a2f3fa61c5e596b79bb2793044053
Instruction Fuzzy Hash: 4DC1177261C3808BD718DF26D89166BBBE6EBD1314F18883DE0D19B382DA3CD509CB16

Function 0041499B Relevance: 4.5, Strings: 3, Instructions: 755COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00414D70
BPA, xrefs: 00415033
kjih, xrefs: 00415130

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: BPA$D]+\$kjih
API String ID: 0-779469481
Opcode ID: 3b795639909c093783c68fb88a88c2082f21191ea6d78dddba18fb4a727ae03a
Instruction ID: c86518ecb6a2af19fc35f5361c14f0002270ccc2ac66e0080cc6d1c57852e329
Opcode Fuzzy Hash: 3b795639909c093783c68fb88a88c2082f21191ea6d78dddba18fb4a727ae03a
Instruction Fuzzy Hash: 77224479608301DFEB14DF24E84176BB7E2EBCA314F54843EE485573A2DB349D008B9A

Function 00422540 Relevance: 4.2, Strings: 3, Instructions: 464COMMON

Download Yara Rule

Strings

SP, xrefs: 00422570
(l"R, xrefs: 00422568
kjih, xrefs: 00422930

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: (l"R$SP$kjih
API String ID: 0-567659598
Opcode ID: 3785ca1b37f9add546c1038ec4aba19b713aab3aa18d44877dd8aa41cb3b2193
Instruction ID: a3900cc6fc55148a6c8e14d85553ca1c9869342b247b30b550114912dbf9fceb
Opcode Fuzzy Hash: 3785ca1b37f9add546c1038ec4aba19b713aab3aa18d44877dd8aa41cb3b2193
Instruction Fuzzy Hash: ABB14972604310ABD714AF24E99277BB3E1EF91324F59852EF88597381E37CD905C36A

Function 00438D10 Relevance: 4.2, Strings: 3, Instructions: 424COMMON

Download Yara Rule

Strings

kjih, xrefs: 00438D55
kjih, xrefs: 0043913B, 00438E98
kjih, xrefs: 00438EB5

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: kjih$kjih$kjih
API String ID: 2994545307-810310282
Opcode ID: 712fac94ba7437c9b3dbec18473d263afff0cd89d38fa19ec11d9b71cf0c5c0e
Instruction ID: 767e002e25c183fdeed3407a3d66f84cc4350f69500a9d1ea3b218917b86b708
Opcode Fuzzy Hash: 712fac94ba7437c9b3dbec18473d263afff0cd89d38fa19ec11d9b71cf0c5c0e
Instruction Fuzzy Hash: E1B16B71A083014FD7249F24988163FF7B6EBDA324F15A52EF58567391DB39EC028B89

Function 00439459 Relevance: 4.2, Strings: 3, Instructions: 407COMMON

Download Yara Rule

Strings

\, xrefs: 00439900
^_, xrefs: 00439739
., xrefs: 004395AE

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: .$\$^_
API String ID: 0-3646303928
Opcode ID: 297d3f3141377644b6f0c33220492bdc5aba9e444d2ed4812824903fec6dcd11
Instruction ID: 062b75e545c243369e7d1007839102a71fa034d595c1669f30e3ba6f234e4085
Opcode Fuzzy Hash: 297d3f3141377644b6f0c33220492bdc5aba9e444d2ed4812824903fec6dcd11
Instruction Fuzzy Hash: 37D1E43A628252CBCB18AF28DC6127E73F1FF4A751F1A887DD4814B6A0EB798D50C715

Function 00423257 Relevance: 3.0, Strings: 2, Instructions: 477COMMON

Download Yara Rule

Strings

kjih, xrefs: 004234E2
kjih, xrefs: 00423707

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: kjih$kjih
API String ID: 0-3924671761
Opcode ID: d2e0f1181bacb05ca1da8367e0b89aa2228c71b326f4e83b93677016c63df9da
Instruction ID: a487c086f2bff6f57182d60980e0fcb6fe8e22d5ef2e364a4cc1ffc52942c78a
Opcode Fuzzy Hash: d2e0f1181bacb05ca1da8367e0b89aa2228c71b326f4e83b93677016c63df9da
Instruction Fuzzy Hash: 78F1E27A618202CFE718CF24EC5176A73E6FF8A315F4A893CE54597291EB38E910CB45

Function 004269E0 Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

-,#", xrefs: 00426A05
$b%., xrefs: 00426D93

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: $b%.$-,#"
API String ID: 2994545307-931030428
Opcode ID: 6a3802928c5f5a87aac56f19ec11622fc088211d542d43d856bad98c04f61c22
Instruction ID: eb0a7813bc495cb2fd809d80ca2ae1eeb419bef85b2bda93f64a55ce56aa5a2f
Opcode Fuzzy Hash: 6a3802928c5f5a87aac56f19ec11622fc088211d542d43d856bad98c04f61c22
Instruction Fuzzy Hash: 57B18A717083644BDB14DF24E8927BBB7A1EB91314F86853EE8858B381D63DDD05C39A

Function 00425986 Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

kjih, xrefs: 004259D5
kjih, xrefs: 00425951

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: kjih$kjih
API String ID: 0-3924671761
Opcode ID: 9c4abc055bfff55d6b9c6c044379669858391a61c272c9d70dbe5eab9bb1bf85
Instruction ID: 435e266f2ad6e6eef63f3cb7faf8b725e12e8754059b896fb3d6e380001f75d0
Opcode Fuzzy Hash: 9c4abc055bfff55d6b9c6c044379669858391a61c272c9d70dbe5eab9bb1bf85
Instruction Fuzzy Hash: 5C11D676346B60CBC3148B54E49027FB7D1EBD6721FA9952EC9D123B50C17C9C428B9A

Function 0042AAE0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

", xrefs: 0042ADB8

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: e628c99f02590b6f0d4c943b71b77343dd47da835aa70e3396d5bfee97e0f26e
Instruction ID: 7155dd8fcac62196877c4163cf259fe4e5bc86aa3de5309139ff4223dd971825
Opcode Fuzzy Hash: e628c99f02590b6f0d4c943b71b77343dd47da835aa70e3396d5bfee97e0f26e
Instruction Fuzzy Hash: BEC146B1B083245FC7149E25A88076BBBE6AB80314F49892FEC958B381D73CDD19C787

Function 0041B18C Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

PLR3, xrefs: 0041B367

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: PLR3
API String ID: 0-2761226970
Opcode ID: 55f0f2b169892d99dcd16b4c9832ed68bdf8ab973c645c435139344f562a5964
Instruction ID: 032294ec5626711b583989303ca1e9da9d1a30cf5e4cc2b543d20f08b9a82161
Opcode Fuzzy Hash: 55f0f2b169892d99dcd16b4c9832ed68bdf8ab973c645c435139344f562a5964
Instruction Fuzzy Hash: B7811675601B008FC725CF28C8917A3B7F1FF96314B0895ADD4968B7A2D738E885CB94

Function 0043B910 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

kjih, xrefs: 0043BA55

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: kjih
API String ID: 2994545307-2138429548
Opcode ID: a33593026fd8eb9ec5c79d2faeb1b809e771c45f5c9a28dba86a33fca7da4d5a
Instruction ID: 4357d8f11cacceb57ec802c14660e1cd95a9d51a826ff5a575db21d457add18a
Opcode Fuzzy Hash: a33593026fd8eb9ec5c79d2faeb1b809e771c45f5c9a28dba86a33fca7da4d5a
Instruction Fuzzy Hash: 4C613B326057118BCB609F28C8C076BF792EFCA324F19A52ED68497365D735AC45C7C5

Function 00438AE0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

kjih, xrefs: 00438B45

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: kjih
API String ID: 0-2138429548
Opcode ID: a1d68a4cb3e2e4bf4865ca5e0cd9f0b9f8ab046a7825ff6a50d9a1042725e3fa
Instruction ID: 91fe87c1877ca5f05fcaee7cce7fcb8ec47d91bc591b00911bc4e7c23d8210a4
Opcode Fuzzy Hash: a1d68a4cb3e2e4bf4865ca5e0cd9f0b9f8ab046a7825ff6a50d9a1042725e3fa
Instruction Fuzzy Hash: 635107B46083019FE7009F29DC81B2FB7E5EB89314F10982DF68597292DB39EC15C79A

Function 0042459E Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

! %, xrefs: 00425C6C

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: ! %
API String ID: 0-2174870612
Opcode ID: 2e64160a11173ddfd979c0ea3d0d2b814565963c2ce7f953d5e5f862b9a3bbaa
Instruction ID: 8f1612b3a262938f3178b7bf199caa3967da8d02cacb31485a6ba24c03ffaef1
Opcode Fuzzy Hash: 2e64160a11173ddfd979c0ea3d0d2b814565963c2ce7f953d5e5f862b9a3bbaa
Instruction Fuzzy Hash: AB515731649B658BD720CF6494912BBBBE1DF65310F948A2FC4D687381E238A805D35A

Function 0042CD4D Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

kjih, xrefs: 0042CE00

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: kjih
API String ID: 2994545307-2138429548
Opcode ID: f523621342962c52b4740b321783b526dc97598ad58fbbfbbcbe4c7a2d8bfb81
Instruction ID: 0fb10d53722430d4b77c1d80d6dbef02a9e55c0cd5a1f5aea47d3c4abb22a9cd
Opcode Fuzzy Hash: f523621342962c52b4740b321783b526dc97598ad58fbbfbbcbe4c7a2d8bfb81
Instruction Fuzzy Hash: 083169756087914BD3688F35A8A073FBBD2EF92300FA8496DE1D2873A1D7249C05CB99

Function 0042D05A Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

eB, xrefs: 0042D0CB

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: eB
API String ID: 0-3246501281
Opcode ID: e457f3081f52afee7ef6ccade78faed1e2b4b572523890a29aca42b2418bd9a1
Instruction ID: c9e8a37eecd0f3d021b10de5c2d54c9a99e51523f08571bc8dc744a8d9646f72
Opcode Fuzzy Hash: e457f3081f52afee7ef6ccade78faed1e2b4b572523890a29aca42b2418bd9a1
Instruction Fuzzy Hash: 0631C03060C3D18BD7398F3484657EBBBA1AF96304F94499DC0CA9B282DB39550ACB56

Function 0043F080 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

@, xrefs: 0043F0E9

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a472d10b5f9a7e5390908e9f8f6212d90e40df790a0c6070693bbc59db7dec30
Instruction ID: 46bd95ab95da14b092a617a80e557a72b18f969592b6fa2af1023528b8fd012f
Opcode Fuzzy Hash: a472d10b5f9a7e5390908e9f8f6212d90e40df790a0c6070693bbc59db7dec30
Instruction Fuzzy Hash: 593132725083048BCB14DF18E8816ABBBF5FB96320F10693DE5858B390E7359C08CB96

Function 0042C62F Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

s, xrefs: 0042C676

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: e45a1f2e2537c3aa27091e076b28e989616aa4a1697a312ccc4ccaba39526ba3
Instruction ID: 29f20c3b0e98ad2f0a32b60c155a5575d60e561524289968dcee3ba061b6bae2
Opcode Fuzzy Hash: e45a1f2e2537c3aa27091e076b28e989616aa4a1697a312ccc4ccaba39526ba3
Instruction Fuzzy Hash: AF31F63170C7928BC71D8F34C8643BBBBD1ABD2340F18496EE1D687391D73888068B56

Function 0042D0AE Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

eB, xrefs: 0042D0CB

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: eB
API String ID: 0-3246501281
Opcode ID: d234fc643cf34f131e990788b67370748e9a2949fcd5bacb75e7d281b2b4cb11
Instruction ID: 90c3ea06982c064a0e3bffddaa11293396c71f55d8fe445c898e383a11b9c4a0
Opcode Fuzzy Hash: d234fc643cf34f131e990788b67370748e9a2949fcd5bacb75e7d281b2b4cb11
Instruction Fuzzy Hash: 9231DF7060C3908BD7398F34C8657EBBBB1AF96300F94896DC1CA5B381DB395506CB96

Function 0042C62D Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

s, xrefs: 0042C676

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: a17dc4b0f29f5f9b404bef73946c92c1ddcd8b9df2cdf66f2056694c3c23ac44
Instruction ID: 15acc6a3c80bf2e33e426aada9df871cc9eb11dbc7320abd226b1ce3a4d8280f
Opcode Fuzzy Hash: a17dc4b0f29f5f9b404bef73946c92c1ddcd8b9df2cdf66f2056694c3c23ac44
Instruction Fuzzy Hash: 7121E57170C7928BC71CCF34C86526FBBD1ABD6300F28896EE5D687391D638C8068B4A

Function 00407500 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26be0585b5863154a1ada3a28109cfd6482920505ec00f8f0cdb4773e3318629
Instruction ID: 61abf759c9cadcf257a693f3ee14b799edd8696e77a16ce848846ba68cf6fefd
Opcode Fuzzy Hash: 26be0585b5863154a1ada3a28109cfd6482920505ec00f8f0cdb4773e3318629
Instruction Fuzzy Hash: 2A22A132A0C7118BD725DF18D8806ABB3E1BFC4319F19893ED586A7385D738B8558B87

Function 00429241 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c81599bf1fc021bcf0fc65e73ee2db50555a858067dd38631d90d1653f08eb
Instruction ID: 68e5704013bb15557501bf91ff2a082cc52ba5735bc95d065c9548d78084a955
Opcode Fuzzy Hash: a6c81599bf1fc021bcf0fc65e73ee2db50555a858067dd38631d90d1653f08eb
Instruction Fuzzy Hash: 53E15671E10226CBCB24CF64D8916ABB7B1FF5A314F19465ED8427B354E738AC02CB94

Function 004221E0 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b107d9bb1a2d9e1941e1462cd52ab4669c909d1b4daa805a2e9a076f479614
Instruction ID: e9311dae094bf1733b1d0aea7d2779e411c23cfc233bdfe60b8c7cd348ef5974
Opcode Fuzzy Hash: 81b107d9bb1a2d9e1941e1462cd52ab4669c909d1b4daa805a2e9a076f479614
Instruction Fuzzy Hash: BA9143B1604311ABC710DF24D892B6B73B0FF91328F14891DF8859B391E7B9D905C76A

Function 0041D5EC Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20164083485a976f9987a595a4cf69ff1c1b16a8df36ebfeef1c5dc0fa762dc
Instruction ID: 5c7151967bff9507dd7797c5c2d42f530f5128f49545d25f922d80f8fb09922b
Opcode Fuzzy Hash: e20164083485a976f9987a595a4cf69ff1c1b16a8df36ebfeef1c5dc0fa762dc
Instruction Fuzzy Hash: E55113B4A0C3508BD7109F28D85266BB7F2EFD2308F18492DE4D99B391E739D905C75A

Function 0041D603 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a87800b8fe64a1213682ffcd7b3cd920df7af8cf0b63194adf3f10e9c6102a
Instruction ID: ac4aaf9ef2867e45983ff7a9ae25f09b9656f6f0dd0720ade2da784ad1356d6e
Opcode Fuzzy Hash: 05a87800b8fe64a1213682ffcd7b3cd920df7af8cf0b63194adf3f10e9c6102a
Instruction Fuzzy Hash: C95101B4A0C3508BD7109F28C85266BB7F2EFD2308F18892DE4D89B391E739C541C75A

Function 0041F0E0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437213943a5d6f7bba8ab58dfeae2c69ad63b4cb29ace8fcc03a326a6a244e04
Instruction ID: 4f692c9c50cbc654eae74ccc9224dc58b5a9b046cdd264a5c32c37c2572de626
Opcode Fuzzy Hash: 437213943a5d6f7bba8ab58dfeae2c69ad63b4cb29ace8fcc03a326a6a244e04
Instruction Fuzzy Hash: 0A615A3560C3919FC7258F39C88096B7BE0AF96314F0882BEE8D447392D635DC4AD796

Function 0043DCE7 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477dd9c6162770bc73e5b88d5049b7ad5744b8a8486b04fcbe3a7d2182c8346d
Instruction ID: 56fb3b66251f4f27547c2b9d23238da8952789ee290974d3697a2f11aacd2a15
Opcode Fuzzy Hash: 477dd9c6162770bc73e5b88d5049b7ad5744b8a8486b04fcbe3a7d2182c8346d
Instruction Fuzzy Hash: 7741C232E145254BDB19CFB8D8911BFFBF2AB9D310F1A512EC446E7341DA38AD018B98

Function 0041B5DD Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aefbff8f267baa07500557e8c01890b3537268b37c2e49d1637d7f1157a591
Instruction ID: 07ff840f00c89fee05c80b5a58555568be596aadf3cf6fbd15384ce02e8096e0
Opcode Fuzzy Hash: b6aefbff8f267baa07500557e8c01890b3537268b37c2e49d1637d7f1157a591
Instruction Fuzzy Hash: E65149763507014FE7248F29C9C1B52BBE2EFE6304F1985ACD0959B762C7B8D802CB54

Function 0040C551 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63813f41dbe511761db8f20762812b93e7ab948a97c621a9b6d96b75e500041
Instruction ID: 9be73a98b056c2d0c7dacf170e0cd6e8e4dd5e5827fd6e65ad473f576408e71a
Opcode Fuzzy Hash: f63813f41dbe511761db8f20762812b93e7ab948a97c621a9b6d96b75e500041
Instruction Fuzzy Hash: 0E41347965C3018BC7188F64CC4567BB7F2EFC6304F189A3CE48593381DA388A06870E

Function 0041BF5D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83626cacc7732c68ab18a552209682d8902d6c7a8a32954126ad0522ddbd671
Instruction ID: 6761710f77d38817d46bc0a1b71ee177f124221904cd2e9cb6d64fccfdedefae
Opcode Fuzzy Hash: f83626cacc7732c68ab18a552209682d8902d6c7a8a32954126ad0522ddbd671
Instruction Fuzzy Hash: C12123757447418FC719CF66C8A0263BBA3AFCA25432EC04EC4968B36AC774F8868B44

Function 00432000 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62b68f1efe2ca59d36d82e6a055fe48e925e50c8864e3853668cf8a2d06942e
Instruction ID: c8573963d71175ab879c5f59e786e450b1420257dcd06735500d0dc1f647cab2
Opcode Fuzzy Hash: c62b68f1efe2ca59d36d82e6a055fe48e925e50c8864e3853668cf8a2d06942e
Instruction Fuzzy Hash: AF21B5F0900B00AFD360EF3AC946607BEF8EB49354F508A1DF4AA87691D371A5458BD6

Function 00435880 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5b2b74ac1a3ba5c45c454e7f1da22ae82971d98106045a86a0c66dac7f734a9c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1311E533A055D44EC3168D3C8400566BFE30EA7235F69939AF4F89B2D6D6268D8E8359

Function 0040C404 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e78fea8a38b24ded5d16d5c4de34fcb1592ffda36adc458e5286e25c154e54
Instruction ID: 8ded2d301ed04a995954a13864b114fad71100f10da4f8fc48165d4e31c5a971
Opcode Fuzzy Hash: f3e78fea8a38b24ded5d16d5c4de34fcb1592ffda36adc458e5286e25c154e54
Instruction Fuzzy Hash: 6E11B83464D3419BD329CF24A8D1B6BBBE2EBD2204F14E82CE08192351C5B8D8068B1E

Function 0042A4B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e09823d0e02ffd6712e61936e7254897359c543f25d11d694a2a38905cc569
Instruction ID: 67478a81853eec2dea72d16e4687bce84520cd468960b50aea60f26b09377acc
Opcode Fuzzy Hash: f3e09823d0e02ffd6712e61936e7254897359c543f25d11d694a2a38905cc569
Instruction Fuzzy Hash: 840192F170071197D620AE25A5C4727A2A86F9070CF48443EEC4967342DBBDFC2886AA

Function 0042DE30 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54a11bb87efbfbf342d2a2c3f144219fdb4e62799be38ffa775fb600503eca8
Instruction ID: be3d4ae164ca6086263ea6c394f1b56c4cacc59ffcacf56fb8c71461d48c70a6
Opcode Fuzzy Hash: b54a11bb87efbfbf342d2a2c3f144219fdb4e62799be38ffa775fb600503eca8
Instruction Fuzzy Hash: C501F435D086A247CB254F388411373BB625FA7308B5D54EDC4C1AF383C61EDC068798

Function 0043E1F4 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902304f499d5a184e8a82fb08a67af2d628892b930146d8a0c022a126982db98
Instruction ID: 1fd46abd00d7749c6900e513f53550d416a0f2a30bea42f7423d10527cabea00
Opcode Fuzzy Hash: 902304f499d5a184e8a82fb08a67af2d628892b930146d8a0c022a126982db98
Instruction Fuzzy Hash: F0C04C38A581418B9B08CF04E9954BAB776979F214B18B13ED506F3750C734DC01990C

Function 00428BFE Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e004b511eee906e3079cfc60d91f8bd874a58f69aba1e39e5ab1c21b77e04
Instruction ID: 8ddfabdbd47d42b1c93bf9e1ab641da2c5150ae9938c0d7cb83ab9f96b1d894d
Opcode Fuzzy Hash: 680e004b511eee906e3079cfc60d91f8bd874a58f69aba1e39e5ab1c21b77e04
Instruction Fuzzy Hash: 72B00274E441548BE614CF14DD50B74F375A747105F153454D10EB7152C631E955CA0D

Function 00424C80 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a90507de928d43dc4e33b8172c8b4ebbfc2960a3ccf639557fe3167fb9d420
Instruction ID: 8ee52886bdf383e29db227205d642dcaefe645a769550572070308d17a5c2958
Opcode Fuzzy Hash: f5a90507de928d43dc4e33b8172c8b4ebbfc2960a3ccf639557fe3167fb9d420
Instruction Fuzzy Hash: 4FB002349891008BD604CF58D550575F3759747618F157818D547B3251D655F858C91D

Function 00432367 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004323A9

Strings

c, xrefs: 004323C3
_, xrefs: 004323CB
x, xrefs: 004323F3
-, xrefs: 004323EB
^, xrefs: 004323D3

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitVariant
String ID: -$^$_$c$x
API String ID: 1927566239-2011743646
Opcode ID: 5e0d3c51ad46ec2c06616873faac0f117c26524ed99fea09ff2c6b131de0c4e1
Instruction ID: e4baa1acc4d029566cdfd59e8f7d3bb8e186af098319ae9321de840ef7b9e312
Opcode Fuzzy Hash: 5e0d3c51ad46ec2c06616873faac0f117c26524ed99fea09ff2c6b131de0c4e1
Instruction Fuzzy Hash: C1415D71108B81CED7158F38C598356BFE16B66324F48869CC5E90F7EAC3759505C7A2

Function 004298F0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 004299CD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 00429A3F

Strings

Wuv7, xrefs: 0042999E, 00429980
Wuv7, xrefs: 00429A0A

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Wuv7$Wuv7
API String ID: 237503144-1932794618
Opcode ID: e25d58ab24c04b765f1a7a92fece9777d65b5727fe9848fec3fb11f69464d559
Instruction ID: 1d21664b7f25e21536eec30c841bdffe79b404d1da9bba8fb3677da827e04efc
Opcode Fuzzy Hash: e25d58ab24c04b765f1a7a92fece9777d65b5727fe9848fec3fb11f69464d559
Instruction Fuzzy Hash: 0151DEB52483149FE3109F21EC81B5BBBF8FB8A704F10492DF6989B282D7759509CB96

Function 0041973F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

V0/., xrefs: 004197DB
@, xrefs: 00419763

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: @$V0/.
API String ID: 0-2384241223
Opcode ID: 00119c81bcb70a326370affddf1987019324e2da4765eb631dd7385480b59cf8
Instruction ID: fd479f24e7454a86608881c10ac1fb51ac8f6e5b5ecef8113ba61f705af730f2
Opcode Fuzzy Hash: 00119c81bcb70a326370affddf1987019324e2da4765eb631dd7385480b59cf8
Instruction Fuzzy Hash: 37411876608341DBD3109F25DC91BAB77E9AFD6311F098A3EE5D8C7281DA388D448726

Function 004245C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

@AF, xrefs: 00424399
RDB, xrefs: 00424448

Memory Dump Source

Source File: 00000003.00000002.1753400415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: RDB$@AF
API String ID: 0-293929955
Opcode ID: bb3f07d3bb2fcabe52b39a1d35e15f1a9833749b2156f1220bab2b88511df349
Instruction ID: 09827799f60907410c32fcdc6003198550ce2609f474eab8529e9ba8762932c7
Opcode Fuzzy Hash: bb3f07d3bb2fcabe52b39a1d35e15f1a9833749b2156f1220bab2b88511df349
Instruction Fuzzy Hash: 2251CDB56082009FD710CF28EC4275BBBE0AB86318F11483DF5899B281E67699098B9B

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aura.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Aura.exe

Function 0092A19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 008F1FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Function 008F24B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Function 0090CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 008F1750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Function 00905349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 009054EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 0090565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00913BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 009143CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 008F90F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 0090DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 008F1EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON