Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
veraport-g3-x64.exe

Overview

General Information

Sample name:veraport-g3-x64.exe
Analysis ID:1560644
MD5:d8ab34d9e288b2d5b3ea326dd6a650a1
SHA1:8cf181bcaef90594c8ba50b0e47927957b7f3e13
SHA256:ba1863828de1f75bb051fb3b84437a3b765c4c49bce7b7a68277ca34dd4f6d2e
Infos:

Detection

Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Installs new ROOT certificates
Modifies the windows firewall
Overwrites Mozilla Firefox settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Changes image file execution options
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64_ra
  • veraport-g3-x64.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\veraport-g3-x64.exe" MD5: D8AB34D9E288B2D5B3EA326DD6A650A1)
    • veraport-g3-x64.tmp (PID: 6936 cmdline: "C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp" /SL5="$60386,28872543,119296,C:\Users\user\Desktop\veraport-g3-x64.exe" MD5: 6A96BEF4679E16A54B4090E74664DCCA)
      • sc.exe (PID: 6432 cmdline: "C:\Windows\system32\sc.exe" stop WizveraPMSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • veraport20unloader.exe (PID: 6868 cmdline: "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /addloopback MD5: D64EF8F62E694FC68A53CF8CA44CB6FB)
        • CheckNetIsolation.exe (PID: 4872 cmdline: "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe MD5: 03CF7163B4837A001BD4667A8880D6CD)
          • conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • veraport20unloader.exe (PID: 3460 cmdline: "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /link MD5: D64EF8F62E694FC68A53CF8CA44CB6FB)
        • taskkill.exe (PID: 6944 cmdline: "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 7064 cmdline: "C:\Windows\System32\taskkill.exe" /f /im veraport.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 4132 cmdline: "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 1856 cmdline: "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • regsvr32.exe (PID: 4952 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • wizveraregsvr.exe (PID: 3916 cmdline: "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll MD5: AA4EF1C182A79F24B519167C41FAB32E)
        • conhost.exe (PID: 4004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wizcertutil.exe (PID: 1920 cmdline: "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe" /force /gencert /target veraport MD5: 0FFE29C5EFF5BD3E25142A388FBEDB5A)
        • certutil.exe (PID: 1868 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 2272 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 2420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 2604 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 3492 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 5824 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 4404 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 4912 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 5124 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 3744 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 4840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 4180 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 2080 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 3512 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 7092 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 2336 cmdline: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wpmsvcsetup.exe (PID: 3948 cmdline: "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENT MD5: EA18C971818F833249090BB8B11F72C3)
        • wpmsvcsetup.tmp (PID: 3680 cmdline: "C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp" /SL5="$702DC,5451002,118784,C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENT MD5: 63B15124BE653DBE589C7981DA9D397C)
          • sc.exe (PID: 2200 cmdline: "C:\Windows\system32\sc.exe" stop WizveraPMSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WizSvcUtil.exe (PID: 6556 cmdline: "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add MD5: 50E4842EA92F74B2C82426FF562E2CCD)
            • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 3704 cmdline: "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wpmsvc.exe (PID: 6436 cmdline: "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i MD5: 3C126066F71E9A97F6D8E6383D4BA9B0)
            • conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 6608 cmdline: "C:\Windows\system32\sc.exe" start WizveraPMSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • veraport-x64.exe (PID: 5156 cmdline: "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/ MD5: FEB822E7254B73E0D4615BE26A32917F)
      • netsh.exe (PID: 4176 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 980 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2144 cmdline: "C:\Windows\system32\sc.exe" start WizveraPMSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7028 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 7124 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7052 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6160 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 2524 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6320 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wpmsvc.exe (PID: 6264 cmdline: "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" MD5: 3C126066F71E9A97F6D8E6383D4BA9B0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\, CommandLine: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe" /force /gencert /target veraport, ParentImage: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe, ParentProcessId: 1920, ParentProcessName: wizcertutil.exe, ProcessCommandLine: "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\, ProcessId: 1868, ProcessName: certutil.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp, ProcessId: 6936, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wizvera-veraport-x64
Sigma detected: CurrentVersion NT Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: -1, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp, ProcessId: 6936, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe\CWDIllegalInDllSearch
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 127.0.0.1:16105;127.0.0.1:16106;, EventID: 13, EventType: SetValue, Image: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe, ProcessId: 5156, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7028, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)ReversingLabs: Detection: 20%
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-GTH4V.tmpReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C78A050 legacy_SetCryptFunctions,29_2_6C78A050
Source: veraport-g3-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\WizveraJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-M4IGQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-ROPB8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-L4QKL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-UH4U1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-41JG5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-2TBQT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-QBQRE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-11-21 #001.txtJump to behavior
Source: veraport-g3-x64.exeStatic PE information: certificate valid
Source: veraport-g3-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 0000001A.00000000.2015566570.00007FF76E4C3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: msvcr120.i386.pdb source: certutil.exe, certutil.exe, 0000001D.00000002.2060220556.000000006C821000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000027.00000002.2095362672.000000006C9AB000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: D:\myproject\veraport\client\veraport-git\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000046.00000003.2314436870.00000000022C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 0000000B.00000000.1857609150.00000001403C4000.00000080.00000001.01000000.00000008.sdmp, veraport-x64.exe, 00000046.00000002.2493412405.00007FF64C347000.00000040.00000001.01000000.0000001E.sdmp, veraport-x64.exe, 00000046.00000000.2287433051.00007FF64C327000.00000080.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\project\WizveraMonitorSvc\Release\WizSvcUtil.pdb source: WizSvcUtil.exe, 0000003D.00000000.2186783101.0000000000486000.00000002.00000001.01000000.0000001C.sdmp, WizSvcUtil.exe, 0000003D.00000002.2203739867.0000000000486000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 0000000B.00000000.1857609150.00000001403C4000.00000080.00000001.01000000.00000008.sdmp, veraport-x64.exe, 00000046.00000002.2493412405.00007FF64C347000.00000040.00000001.01000000.0000001E.sdmp, veraport-x64.exe, 00000046.00000000.2287433051.00007FF64C327000.00000080.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 0000001C.00000000.2029147646.0000000000CF6000.00000002.00000001.01000000.0000000C.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D79860 FindFirstFileA,GetLastError,35_2_73D79860
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D99860 FindFirstFileA,GetLastError,37_2_73D99860
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D7AB40 recvfrom,WSAGetLastError,select,select,recvfrom,WSAGetLastError,35_2_73D7AB40
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://cacerts.?
Source: certutil.exe, 0000001F.00000003.2067647963.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.000000000163A000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067193775.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001554000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133140189.00000000013FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077885682.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126848119.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2137675370.000000000113D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2481805310.0000000000FFC000.00000004.00000010.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2481805310.0000000000FFC000.00000004.00000010.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079709919.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079519207.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077885682.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126601031.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126962215.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: certutil.exe, 0000001F.00000003.2067647963.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067193775.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digice
Source: certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo:
Source: certutil.exe, 0000001F.00000003.2068589203.000000000163A000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001554000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133140189.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133572365.0000000001124000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2155254110.0000000001298000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077885682.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126848119.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2137675370.000000000113D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: certutil.exe, 0000001F.00000003.2067647963.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.000000000163A000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067193775.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001554000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133140189.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133572365.0000000001124000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust
Source: certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079709919.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079519207.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077885682.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126601031.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126962215.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: veraport20unloader.exe, 0000000B.00000003.1867927274.0000000000400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://help.wizvera.com/help/faq/killprocess.html
Source: veraport20unloader.exe, 0000000B.00000003.1867927274.0000000000400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://help.wizvera.com/help/faq/killprocess.htmlInvalid
Source: is-7BT79.tmp.1.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067647963.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.000000000163A000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067193775.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001554000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126848119.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://ocsp.digicert.com0A
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
Source: certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079709919.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079519207.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077885682.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126601031.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126962215.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0A
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2481805310.0000000000FFC000.00000004.00000010.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2481805310.0000000000FFC000.00000004.00000010.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocspcnnicroot.cnnic.cn0;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: regsvr32.exe, 00000019.00000003.2011662722.0000000002B20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://veraport.wizvera.com/agreement.html
Source: regsvr32.exe, 00000019.00000003.2011662722.0000000002B20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vp.wizvera.com/vp-policy/
Source: regsvr32.exe, 00000019.00000003.2011662722.0000000002B20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vp.wizvera.com/vp-policy/origin
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
Source: svchost.exe, 00000003.00000002.1367336387.0000027F75413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cnnic.cn/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cnnic.cn/download/cert/CNNICROOT.cer0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://www.digicert.com/CPS0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.1225437119.0000000002490000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.1226013726.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.1226843366.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wpmsvcsetup.exe, 00000039.00000003.2169563956.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.exe, 00000039.00000003.2167602292.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000000.2171907915.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, wpmsvcsetup.tmp.57.drString found in binary or memory: http://www.innosetup.com/
Source: veraport-g3-x64.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: certutil.exe, 00000037.00000002.2161284334.0000000073D63000.00000002.00000001.01000000.0000000F.sdmp, is-5BP0J.tmp.1.drString found in binary or memory: http://www.mozilla.org/MPL/
Source: certutil.exe, 0000001D.00000002.2063066186.0000000073DAF000.00000002.00000001.01000000.00000010.sdmp, certutil.exe, 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmp, certutil.exe, 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmp, certutil.exe, 00000027.00000002.2097117771.0000000073DAF000.00000002.00000001.01000000.00000010.sdmp, certutil.exe, 0000002B.00000002.2113549580.0000000073D8F000.00000002.00000001.01000000.00000010.sdmp, certutil.exe, 00000033.00000002.2141379033.0000000073D8F000.00000002.00000001.01000000.00000010.sdmp, is-5BP0J.tmp.1.drString found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
Source: wpmsvc.exe, 00000041.00000002.2235018008.00000000009AA000.00000002.00000001.01000000.0000001D.sdmp, wpmsvc.exe, 00000041.00000000.2215159309.00000000009AA000.00000002.00000001.01000000.0000001D.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: wpmsvc.exe, 00000041.00000002.2235018008.00000000009AA000.00000002.00000001.01000000.0000001D.sdmp, wpmsvc.exe, 00000041.00000000.2215159309.00000000009AA000.00000002.00000001.01000000.0000001D.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)Digital
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.1225437119.0000000002490000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.1226013726.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.1226843366.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wpmsvcsetup.exe, 00000039.00000003.2169563956.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.exe, 00000039.00000003.2167602292.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000000.2171907915.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, wpmsvcsetup.tmp.57.drString found in binary or memory: http://www.remobjects.com/ps
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.startssl.com/policy.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.startssl.com/policy.pdf04
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: wpmsvcsetup.tmp, 0000003A.00000003.2174550108.00000000032E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wizvera.com
Source: veraport-g3-x64.exe, 00000000.00000003.2330865244.0000000002301000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.exe, 00000039.00000003.2280978841.0000000002451000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2274199239.0000000002451000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wizvera.com1
Source: veraport-g3-x64.exe, 00000000.00000003.2330865244.0000000002301000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.2319748465.0000000002441000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.exe, 00000039.00000003.2280978841.0000000002451000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2274199239.0000000002451000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wizvera.comq
Source: certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133140189.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133572365.0000000001124000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2155254110.0000000001298000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2152522775.0000000001732000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2154605319.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2151037010.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2149001604.0000000001731000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133140189.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133572365.0000000001124000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2155254110.0000000001298000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2152522775.0000000001732000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2154605319.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2151037010.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2149001604.0000000001731000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: veraport20unloader.exe, 0000000B.00000003.1867927274.0000000000400000.00000004.00001000.00020000.00000000.sdmp, wizcertutil.exe, 0000001C.00000000.2029147646.0000000000CF6000.00000002.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000046.00000003.2314436870.00000000022C0000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2481760367.00007FF64BFD1000.00000040.00000001.01000000.0000001E.sdmpString found in binary or memory: https://://80:http://https://.?
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0/
Source: svchost.exe, 00000003.00000002.1367531130.0000027F75459000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000003.1366697984.0000027F75464000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366584199.0000027F7546E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366856980.0000027F7545A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366759407.0000027F75460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367463884.0000027F75442000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1366663854.0000027F75467000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1366494034.0000027F75474000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1366697984.0000027F75464000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366856980.0000027F7545A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367445078.0000027F7543F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367548135.0000027F75465000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1366663854.0000027F75467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367389589.0000027F7542B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000003.1366697984.0000027F75464000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367445078.0000027F7543F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000002.1367463884.0000027F75444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1366937041.0000027F75430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366759407.0000027F75460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1366663854.0000027F75467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367389589.0000027F7542B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/projects/nspr
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/projects/nss
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1366886256.0000027F75449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs
Source: svchost.exe, 00000003.00000002.1367409060.0000027F75439000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1367389589.0000027F7542B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.1367531130.0000027F75459000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: veraport-g3-x64.tmp, 00000001.00000002.2327483900.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005C60000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2262673257.0000000005EBB000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2482651638.0000000001448000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2487058178.0000000001E70000.00000004.00000020.00020000.00000000.sdmp, wpmsvc.exe, 00000045.00000002.2481805310.0000000000FFC000.00000004.00000010.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000003.2324884304.0000000000778000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2479303253.00000000023C5000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000786000.00000004.00000020.00020000.00000000.sdmp, is-K6R7B.tmp.58.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs

System Summary

barindex
PE file contains section with special chars
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeCode function: 16_2_00000001400A000016_2_00000001400A0000
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_01008E7025_2_01008E70
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeCode function: 28_3_0294A6AB28_3_0294A6AB
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeCode function: 28_3_0295DA0528_3_0295DA05
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeCode function: 28_3_0294A23028_3_0294A230
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeCode function: 28_3_0294AB5A28_3_0294AB5A
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75686029_2_6C756860
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C73B85029_2_6C73B850
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C74D43029_2_6C74D430
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72FC2029_2_6C72FC20
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7550D029_2_6C7550D0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C759CDE29_2_6C759CDE
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75A0DE29_2_6C75A0DE
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C74DCC029_2_6C74DCC0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75A4C829_2_6C75A4C8
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72E49029_2_6C72E490
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72A57029_2_6C72A570
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C73416029_2_6C734160
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C73095029_2_6C730950
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C73254029_2_6C732540
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75994E29_2_6C75994E
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75513929_2_6C755139
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C756D1029_2_6C756D10
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72B1E029_2_6C72B1E0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C758DE029_2_6C758DE0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72F5D029_2_6C72F5D0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75A9DB29_2_6C75A9DB
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C74BDB029_2_6C74BDB0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72F1A029_2_6C72F1A0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C74319029_2_6C743190
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75919029_2_6C759190
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C74D67029_2_6C74D670
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72FA2029_2_6C72FA20
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75962E29_2_6C75962E
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C723A0029_2_6C723A00
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C74CEF029_2_6C74CEF0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7272E029_2_6C7272E0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C722EC029_2_6C722EC0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C74235029_2_6C742350
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72C7D029_2_6C72C7D0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C743FD029_2_6C743FD0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C741FB029_2_6C741FB0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72CFA029_2_6C72CFA0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C72BB9029_2_6C72BB90
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C740B9029_2_6C740B90
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C758F9029_2_6C758F90
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C78A89029_2_6C78A890
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7935E029_2_6C7935E0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7891B029_2_6C7891B0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C791A6029_2_6C791A60
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C78B22029_2_6C78B220
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C78561029_2_6C785610
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C79471029_2_6C794710
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7EEC3029_2_6C7EEC30
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AFDC029_2_6C7AFDC0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7C1DC029_2_6C7C1DC0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7E4DA029_2_6C7E4DA0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7FBEB029_2_6C7FBEB0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C801FB029_2_6C801FB0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7C6FC029_2_6C7C6FC0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AAFA029_2_6C7AAFA0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7B6F8029_2_6C7B6F80
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7CB83029_2_6C7CB830
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7EC95029_2_6C7EC950
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7FF9D029_2_6C7FF9D0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7B9B7029_2_6C7B9B70
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7FCB1029_2_6C7FCB10
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7C2BF029_2_6C7C2BF0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7D348029_2_6C7D3480
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7F95A029_2_6C7F95A0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7DE65029_2_6C7DE650
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7D162029_2_6C7D1620
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AF6E029_2_6C7AF6E0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7C07D029_2_6C7C07D0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7DF78029_2_6C7DF780
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 31_2_73D6543031_2_73D65430
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 31_2_73D6FC3031_2_73D6FC30
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013A8F1D35_3_013A8F1D
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013A8F1D35_3_013A8F1D
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013A8F1D35_3_013A8F1D
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013FF29535_3_013FF295
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013A8F1D35_3_013A8F1D
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013C45C535_3_013C45C5
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013A8F1D35_3_013A8F1D
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_3_013A8F1D35_3_013A8F1D
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D6D37035_2_73D6D370
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D6924035_2_73D69240
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D6BA2035_2_73D6BA20
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D6A6F035_2_73D6A6F0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D6BE4035_2_73D6BE40
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D6E4C035_2_73D6E4C0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D724E035_2_73D724E0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D7C44035_2_73D7C440
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D7441035_2_73D74410
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D9543035_2_73D95430
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D9FC3035_2_73D9FC30
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D8D37037_2_73D8D370
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D8924037_2_73D89240
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D8BA2037_2_73D8BA20
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D8A6F037_2_73D8A6F0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D8BE4037_2_73D8BE40
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D8E4C037_2_73D8E4C0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D924E037_2_73D924E0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D9C44037_2_73D9C440
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D9441037_2_73D94410
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73DB543037_2_73DB5430
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73DBFC3037_2_73DBFC30
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy) 1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-0KS0O.tmp 4AEB5405CCF74214098229712CDF6157A4783B51FC42086408A5D0D9169DE41E
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: String function: 73D83EB0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: String function: 6C7AA1C0 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: String function: 73D6CBF0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: String function: 73D63EB0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: String function: 6C7FE2F0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: String function: 6C7D7250 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: String function: 73D8CBF0 appears 43 times
Source: veraport-g3-x64.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: veraport-g3-x64.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-M4IGQ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-M4IGQ.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: wpmsvcsetup.tmp.57.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: wpmsvcsetup.tmp.57.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-0KS0O.tmp.58.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-0KS0O.tmp.58.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: veraport-g3-x64.exe, 00000000.00000003.1226013726.000000007FE42000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe
Source: veraport-g3-x64.exe, 00000000.00000003.1225437119.00000000025A6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe
Source: veraport-g3-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: veraport20unloader.exe.1.drStatic PE information: Section: ZLIB complexity 1.0002096913343559
Source: veraport20unloader.exe.1.drStatic PE information: Section: ZLIB complexity 0.9987649356617647
Source: veraport20unloader.exe.1.drStatic PE information: Section: ZLIB complexity 0.9906123991935484
Source: is-ROPB8.tmp.1.drStatic PE information: Section: ZLIB complexity 0.993495269286754
Source: is-ROPB8.tmp.1.drStatic PE information: Section: ZLIB complexity 0.998046875
Source: is-ROPB8.tmp.1.drStatic PE information: Section: ZLIB complexity 1.002685546875
Source: is-L4QKL.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9916408372961957
Source: is-L4QKL.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9928385416666666
Source: is-UH4U1.tmp.1.drStatic PE information: Section: ZLIB complexity 1.0002096913343559
Source: is-UH4U1.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9987649356617647
Source: is-UH4U1.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9906123991935484
Source: is-HFR1U.tmp.1.drStatic PE information: Section: ZLIB complexity 1.0003577796546546
Source: is-HFR1U.tmp.1.drStatic PE information: Section: ZLIB complexity 0.990234375
Source: is-QBQRE.tmp.1.drStatic PE information: Section: ZLIB complexity 1.0000752497843588
Source: is-QBQRE.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9926676702657807
Source: is-QBQRE.tmp.1.drStatic PE information: Section: ZLIB complexity 1.0006103515625
Source: classification engineClassification label: mal54.phis.spyw.evad.winEXE@113/100@0/0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D77EC0 MapViewOfFile,GetLastError,FormatMessageA,GetLastError,35_2_73D77EC0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C721120 GlobalMemoryStatus,GetLogicalDrives,GetComputerNameA,GetCurrentProcess,GetCurrentProcessId,GetCurrentThreadId,GetVolumeInformationA,GetDiskFreeSpaceA,29_2_6C721120
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\WizveraJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeMutant created: \Sessions\1\BaseNamedObjects\{24D4C5E4-B2DA-43BC-99D8-8D4F9E6A3E1E}_x64
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_03
Source: C:\Users\user\Desktop\veraport-g3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\is-79CR3.tmpJump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport-x64.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraportmain20.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "verainagent.exe")
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: certutil.exe, certutil.exe, 00000023.00000003.2081288335.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082348694.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083856482.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2109945645.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2108759188.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2110684105.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2128217391.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126276450.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2138816259.00000000010B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 00000031.00000003.2128662812.000000000157E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126601031.000000000157E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126848119.000000000157E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000002.2140351331.0000000001068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace536359 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, certutil.exe, 0000001F.00000003.2067193775.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068760984.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a82 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: certutil.exe, certutil.exe, 00000023.00000003.2081288335.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082348694.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083856482.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2109945645.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2108759188.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2110684105.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2128217391.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126276450.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2156389916.0000000001278000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a102 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 00000037.00000003.2158056999.00000000012E2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2154605319.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2151037010.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2155254110.00000000012E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a0=$DATA0 AND a3=$DATA1;
Source: certutil.exe, 0000001F.00000003.2068589203.0000000001625000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001624000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069928098.0000000001627000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.0000000001034000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2080444595.0000000001037000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001036000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000002.2085321580.0000000001037000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127580795.0000000001543000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001543000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001542000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129664093.0000000001543000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPrivate WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, certutil.exe, 0000001F.00000003.2067193775.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068760984.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2128217391.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126276450.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2138816259.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000002.2140735389.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2137758868.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136780349.00000000010B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a11 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 00000031.00000002.2129699668.000000000157D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000002.2140351331.0000000001068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace5363b4 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 00000031.00000003.2128662812.000000000157E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126601031.000000000157E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126848119.000000000157E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000002.2140351331.0000000001068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace53635b FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: certutil.exe, 00000023.00000002.2084673356.0000000000F88000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000002.2160215991.0000000001228000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData LIMIT 0;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: SELECT ALL * FROM %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: certutil.exe, 00000031.00000002.2129699668.000000000157D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000002.2140351331.0000000001068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace53635a FROM nssPublic WHERE id=$ID;
Source: certutil.exe, certutil.exe, 0000001F.00000003.2067193775.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068760984.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2109945645.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2108759188.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000003.2110684105.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2128217391.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126276450.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2138816259.00000000010B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a0 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: certutil.exe, certutil.exe, 0000001F.00000003.2067193775.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068760984.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2128217391.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126276450.00000000014E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a101 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 00000031.00000002.2129699668.000000000157D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000002.2140351331.0000000001068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace536360 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: certutil.exe, 0000001F.00000003.2069088560.00000000015EC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067898980.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068366093.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067193775.00000000015EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;$
Source: certutil.exe, 00000033.00000002.2140351331.0000000001068000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic LIMIT 0;
Source: certutil.exe, certutil.exe, 00000023.00000003.2081288335.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082348694.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083856482.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2128217391.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126276450.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2138816259.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000002.2140735389.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2137758868.00000000010B8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136780349.00000000010B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a1 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: certutil.exe, 0000001F.00000003.2068589203.0000000001625000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2069088560.00000000015EC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001624000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067898980.0000000001629000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067898980.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2069133625.0000000001629000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068052535.0000000001629000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068366093.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067193775.00000000015EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: certutil.exe, certutil.exe, 0000001F.00000003.2067193775.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068760984.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a81 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, certutil.exe, 0000001D.00000002.2062375714.0000000073C34000.00000002.00000001.01000000.00000015.sdmp, is-16653.tmp.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: certutil.exe, 00000031.00000003.2127580795.0000000001543000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001543000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001542000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129664093.0000000001543000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 0000002B.00000003.2111589931.0000000001564000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002B.00000002.2112204220.000000000156B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 00000031.00000002.2129699668.000000000157D000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace536358 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, certutil.exe, 0000001F.00000003.2067193775.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068760984.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2128217391.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126276450.00000000014E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a80 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\veraport-g3-x64.exeFile read: C:\Users\user\Desktop\veraport-g3-x64.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\veraport-g3-x64.exe "C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: C:\Users\user\Desktop\veraport-g3-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp" /SL5="$60386,28872543,119296,C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /addloopback
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Source: C:\Windows\System32\CheckNetIsolation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /link
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe" /force /gencert /target veraport
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp" /SL5="$702DC,5451002,118784,C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow
Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\veraport-g3-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp" /SL5="$60386,28872543,119296,C:\Users\user\Desktop\veraport-g3-x64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /addloopbackJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /linkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe" /force /gencert /target veraportJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allowJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvcJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbweJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp" /SL5="$702DC,5451002,118784,C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Users\user\Desktop\veraport-g3-x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: veraport20.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: samcli.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\WizveraJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-M4IGQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-ROPB8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-L4QKL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-UH4U1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-41JG5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-2TBQT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-QBQRE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1Jump to behavior
Source: veraport-g3-x64.exeStatic PE information: certificate valid
Source: veraport-g3-x64.exeStatic file information: File size 29273808 > 1048576
Source: veraport-g3-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 0000001A.00000000.2015566570.00007FF76E4C3000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: msvcr120.i386.pdb source: certutil.exe, certutil.exe, 0000001D.00000002.2060220556.000000006C821000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000027.00000002.2095362672.000000006C9AB000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: D:\myproject\veraport\client\veraport-git\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000046.00000003.2314436870.00000000022C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 0000000B.00000000.1857609150.00000001403C4000.00000080.00000001.01000000.00000008.sdmp, veraport-x64.exe, 00000046.00000002.2493412405.00007FF64C347000.00000040.00000001.01000000.0000001E.sdmp, veraport-x64.exe, 00000046.00000000.2287433051.00007FF64C327000.00000080.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\project\WizveraMonitorSvc\Release\WizSvcUtil.pdb source: WizSvcUtil.exe, 0000003D.00000000.2186783101.0000000000486000.00000002.00000001.01000000.0000001C.sdmp, WizSvcUtil.exe, 0000003D.00000002.2203739867.0000000000486000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 0000000B.00000000.1857609150.00000001403C4000.00000080.00000001.01000000.00000008.sdmp, veraport-x64.exe, 00000046.00000002.2493412405.00007FF64C347000.00000040.00000001.01000000.0000001E.sdmp, veraport-x64.exe, 00000046.00000000.2287433051.00007FF64C327000.00000080.00000001.01000000.0000001E.sdmp
Source: Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 0000001C.00000000.2029147646.0000000000CF6000.00000002.00000001.01000000.0000000C.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .themida
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name: .themida
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name:
Source: is-ROPB8.tmp.1.drStatic PE information: section name: .themida
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name:
Source: is-L4QKL.tmp.1.drStatic PE information: section name: .themida
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name:
Source: is-UH4U1.tmp.1.drStatic PE information: section name: .themida
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name:
Source: is-HFR1U.tmp.1.drStatic PE information: section name: .themida
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name:
Source: is-QBQRE.tmp.1.drStatic PE information: section name: .themida
Source: is-GTH4V.tmp.58.drStatic PE information: section name: .themida
Source: is-K6R7B.tmp.58.drStatic PE information: section name: .themida
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeCode function: 16_2_00000001400D191C push ss; retf 16_2_00000001400D191A
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeCode function: 16_2_00000001400D191C push FC56EE1Bh; retf 16_2_00000001400D1985
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeCode function: 16_2_00000001400D1978 push ss; retf 16_2_00000001400D191A
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeCode function: 16_2_00000001400D1978 push FC56EE1Bh; retf 16_2_00000001400D1985
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BACA38 push ecx; retf 25_2_00BACA39
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BAEAAC pushad ; ret 25_2_00BAEAAE
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BABDA1 push ecx; retf 25_2_00BABDC9
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BAD318 push ecx; retf 25_2_00BAD319
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BACA08 push ecx; retf 25_2_00BACA09
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BAEF08 push ecx; retf 25_2_00BAEF09
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BAD50C pushad ; ret 25_2_00BAD50E
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BACBF0 pushfd ; retf 25_2_00BACD29
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BAE866 pushad ; retf 25_2_00BAE867
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BACD5F pushfd ; retf 25_2_00BACD89
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BAC248 push ecx; retf 25_2_00BAC249
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00BAD2C6 pushad ; retf 25_2_00BAD2C7
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00FECE78 push eax; retf 25_2_00FECE79
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00FEC7C9 push eax; retf 25_2_00FEC7D1
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00FECFB0 pushad ; retf 25_2_00FED099
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00FF281A push ecx; retf 25_2_00FF2822
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00FF2C10 push ecx; retf 25_2_00FF2C3A
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00FE4410 pushad ; retf 25_2_00FE4421
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_00FFD0E8 pushad ; retf 25_2_00FFD1C1
Source: C:\Windows\System32\regsvr32.exeCode function: 25_2_0100145D push ebp; iretd 25_2_01001466
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 26_2_004FEDC8 push ecx; retf 26_2_004FEDC9
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 26_2_004FE0C0 pushfd ; retf 26_2_004FE0E9
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 26_2_004FE96C pushad ; ret 26_2_004FE96E
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 26_2_004FDD98 push ecx; retf 26_2_004FDD99
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 26_2_004FCE90 push esi; retf 26_2_004FCE91
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 26_2_004FD5A8 push ecx; retf 26_2_004FD5A9
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 26_2_004FE726 pushad ; retf 26_2_004FE727
Source: veraport20unloader.exe.1.drStatic PE information: section name: entropy: 7.989457649411099
Source: is-UH4U1.tmp.1.drStatic PE information: section name: entropy: 7.989457649411099
Source: is-HFR1U.tmp.1.drStatic PE information: section name: entropy: 7.986609900748852
Source: is-QBQRE.tmp.1.drStatic PE information: section name: entropy: 7.985305374482072
Source: is-UNN4K.tmp.1.drStatic PE information: section name: .text entropy: 6.95576372950548

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99F491E3B3B73D9E94ECC302315FD024F4C78C91 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99F491E3B3B73D9E94ECC302315FD024F4C78C91 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99F491E3B3B73D9E94ECC302315FD024F4C78C91 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99F491E3B3B73D9E94ECC302315FD024F4C78C91 Blob
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-GTH4V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-LFTRG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nspr4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-K6R7B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-UH4U1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-M27Q7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-QBQRE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7FRC5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-16653.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-046MP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-B2FVE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-SUBQN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nss3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssutil3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UNN4K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UP14J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-KK4A2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-0KS0O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-M4IGQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\smime3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\plc4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\msvcr120.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\plds4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\mozillafinder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-B16R3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-S2732.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-L4QKL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-HFR1U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-MLEMF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-41JG5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7B3IO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\sqlite3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-2TBQT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-2OT9H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\veraport-g3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-5BP0J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\softokn3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-ROPB8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-11-21 #001.txtJump to behavior

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraportmain20.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraportmain20.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraportmain20.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\veraport-g3-x64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\regsvr32.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeSystem information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeSystem information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeSystem information queried: FirmwareTableInformation
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSystem information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Windows\System32\regsvr32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-0KS0O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-M4IGQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-LFTRG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\mozillafinder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-B16R3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-L4QKL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-S2732.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-M27Q7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-HFR1U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-MLEMF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-41JG5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7B3IO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7FRC5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-16653.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-2OT9H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-SUBQN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-5BP0J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UNN4K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\softokn3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UP14J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-ROPB8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeAPI coverage: 0.7 %
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeAPI coverage: 8.0 %
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeAPI coverage: 5.3 %
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe TID: 2712Thread sleep count: 89 > 30
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D79860 FindFirstFileA,GetLastError,35_2_73D79860
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D99860 FindFirstFileA,GetLastError,37_2_73D99860
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D68190 GetSystemInfo,35_2_73D68190
Source: svchost.exe, 00000005.00000002.2476229539.0000029C7E064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: svchost.exe, 00000005.00000002.2473938688.0000029C7E024000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: certutil.exe, 00000027.00000003.2092441659.0000000000715000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: certutil.exe, 0000001D.00000003.2058105222.0000000001290000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: WizSvcUtil.exe, 0000003D.00000002.2210467847.00000000015BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__n
Source: svchost.exe, 00000005.00000002.2476229539.0000029C7E082000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2473938688.0000029C7E024000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: certutil.exe, 00000023.00000002.2084673356.0000000000F88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: certutil.exe, 00000037.00000003.2159428440.0000000001233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: svchost.exe, 00000005.00000002.2472361873.0000029C7E002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.2476229539.0000029C7E064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: svchost.exe, 00000005.00000002.2476229539.0000029C7E064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 00000005.00000002.2477613081.0000029C7E08C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2474928531.0000029C7E04D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: certutil.exe, 00000031.00000003.2128700251.00000000014A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
Source: veraport-g3-x64.exeBinary or memory string: \qemU
Source: certutil.exe, 0000001F.00000002.2069597003.0000000001579000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000021.00000003.2073364186.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000025.00000003.2087979683.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000029.00000003.2100587089.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002D.00000003.2116183835.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002F.00000003.2120578488.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002F.00000003.2120716416.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2139432726.0000000001075000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000035.00000003.2144830468.0000000001465000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000046.00000002.2470988880.0000000000765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: certutil.exe, 0000002B.00000003.2111589931.0000000001564000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeSystem information queried: ModuleInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\regsvr32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeThread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeThread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeThread information set: HideFromDebugger
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeThread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeOpen window title or class name: gbdyllo
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeOpen window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugPort
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75D29D IsDebuggerPresent,_crt_debugger_hook,__crtUnhandledException,_crt_debugger_hook,__crtTerminateProcess,29_2_6C75D29D
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeNtQueryInformationProcess: Indirect: 0x1808579B2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeNtQueryInformationProcess: Indirect: 0x140589F7BJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeNtQueryInformationProcess: Indirect: 0x7FF64C5583CA
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeNtSetInformationThread: Indirect: 0x140567144Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeNtQueryInformationProcess: Indirect: 0x180880DB5Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeNtSetInformationThread: Indirect: 0x18086A115Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeNtQueryInformationProcess: Indirect: 0x7FF64C538479
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeNtQueryInformationProcess: Indirect: 0x14058443FJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeNtSetInformationThread: Indirect: 0x7FF64C53F2B3
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbweJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D78A80 GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,35_2_73D78A80
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D78930 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLengthSid,CopySid,GetTokenInformation,GetLengthSid,CopySid,CloseHandle,AllocateAndInitializeSid,35_2_73D78930
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75D3D5 cpuid 29_2_6C75D3D5
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C75D79B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,29_2_6C75D79B
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D7A7F0 GetVersionExA,35_2_73D7A7F0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Overwrites Mozilla Firefox settings
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Source: svchost.exe, 00000006.00000002.2479343674.000001417E502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000006.00000002.2479343674.000001417E502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key.db
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AAC40 sqlite3_bind_blob,29_2_6C7AAC40
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AACF0 sqlite3_bind_int,29_2_6C7AACF0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AAC90 sqlite3_bind_double,29_2_6C7AAC90
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AAE70 sqlite3_bind_null,29_2_6C7AAE70
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AAE10 sqlite3_bind_int64,29_2_6C7AAE10
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AAF10 sqlite3_bind_text,29_2_6C7AAF10
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AB440 sqlite3_bind_parameter_count,29_2_6C7AB440
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AB4E0 sqlite3_bind_parameter_name,29_2_6C7AB4E0
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AB550 sqlite3_clear_bindings,29_2_6C7AB550
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7AB510 sqlite3_bind_parameter_index,29_2_6C7AB510
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 29_2_6C7A2630 sqlite3_transfer_bindings,29_2_6C7A2630
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D7A860 listen,WSAGetLastError,35_2_73D7A860
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 35_2_73D7A690 bind,WSAGetLastError,35_2_73D7A690
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D9A860 listen,WSAGetLastError,37_2_73D9A860
Source: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exeCode function: 37_2_73D9A690 bind,WSAGetLastError,37_2_73D9A690

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		32
Disable or Modify Tools		1
OS Credential Dumping		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
Image File Execution Options Injection		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Browser Session Hijacking		2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		2
Windows Service		1
Image File Execution Options Injection		1
Abuse Elevation Control Mechanism		Security Account Manager49
System Information Discovery		SMB/Windows Admin Shares1
Data from Local System		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron21
Registry Run Keys / Startup Folder		2
Windows Service		3
Obfuscated Files or Information		NTDS561
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Process Injection		1
Install Root Certificate		LSA Secrets34
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
Registry Run Keys / Startup Folder		2
Software Packing		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync2
System Owner/User Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
Masquerading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Modify Registry		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron34
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
Process Injection		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
Regsvr32		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560644 Sample: veraport-g3-x64.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 54 115 Multi AV Scanner detection for dropped file 2->115 117 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->117 119 PE file contains section with special chars 2->119 121 Sigma detected: System File Execution Location Anomaly 2->121 10 veraport-g3-x64.exe 2 2->10         started        13 wpmsvc.exe 2->13         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 process3 file4 111 C:\Users\user\AppData\...\veraport-g3-x64.tmp, PE32 10->111 dropped 20 veraport-g3-x64.tmp 39 51 10->20         started        155 Query firmware table information (likely to detect VMs) 13->155 157 Installs new ROOT certificates 13->157 159 Hides threads from debuggers 13->159 161 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->161 163 Changes security center settings (notifications, updates, antivirus, firewall) 16->163 24 MpCmdRun.exe 1 16->24         started        signatures5 process6 file7 85 C:\Users\user\...\wpmsvcsetup.exe (copy), PE32 20->85 dropped 87 C:\Users\user\...\wizcertutil.exe (copy), PE32 20->87 dropped 89 C:\Users\user\...\veraport20unloader.exe, PE32+ 20->89 dropped 91 48 other files (44 malicious) 20->91 dropped 123 Creates an undocumented autostart registry key 20->123 125 Creates autostart registry keys with suspicious names 20->125 127 Uses netsh to modify the Windows network and firewall settings 20->127 129 Modifies the windows firewall 20->129 26 wizcertutil.exe 20->26         started        29 wpmsvcsetup.exe 20->29         started        32 veraport20unloader.exe 1 20->32         started        36 8 other processes 20->36 34 conhost.exe 24->34         started        signatures8 process9 file10 143 Installs new ROOT certificates 26->143 145 Tries to harvest and steal browser information (history, passwords, etc) 26->145 38 certutil.exe 26->38         started        42 certutil.exe 26->42         started        44 certutil.exe 26->44         started        52 11 other processes 26->52 113 C:\Users\user\AppData\...\wpmsvcsetup.tmp, PE32 29->113 dropped 46 wpmsvcsetup.tmp 29->46         started        147 Query firmware table information (likely to detect VMs) 32->147 149 Hides threads from debuggers 32->149 151 Found direct / indirect Syscall (likely to bypass EDR) 32->151 48 taskkill.exe 1 32->48         started        50 taskkill.exe 1 32->50         started        54 2 other processes 32->54 153 Tries to detect sandboxes / dynamic malware analysis system (registry check) 36->153 56 6 other processes 36->56 signatures11 process12 file13 101 6 other malicious files 38->101 dropped 137 Overwrites Mozilla Firefox settings 38->137 139 Tries to harvest and steal browser information (history, passwords, etc) 38->139 58 conhost.exe 38->58         started        103 6 other malicious files 42->103 dropped 60 conhost.exe 42->60         started        93 C:\Users\user\AppData\Roaming\...\secmod.db, Berkeley 44->93 dropped 105 2 other malicious files 44->105 dropped 62 conhost.exe 44->62         started        95 C:\Program Files (x86)\...\wpmsvc.exe (copy), PE32 46->95 dropped 97 C:\...\unins000.exe (copy), PE32 46->97 dropped 99 C:\Program Files (x86)\...\is-K6R7B.tmp, PE32 46->99 dropped 107 5 other files (3 malicious) 46->107 dropped 141 Creates an undocumented autostart registry key 46->141 70 5 other processes 46->70 64 conhost.exe 48->64         started        66 conhost.exe 50->66         started        109 3 other malicious files 52->109 dropped 73 11 other processes 52->73 75 2 other processes 54->75 68 conhost.exe 56->68         started        signatures14 process15 signatures16 131 Query firmware table information (likely to detect VMs) 70->131 133 Hides threads from debuggers 70->133 135 Tries to detect sandboxes / dynamic malware analysis system (registry check) 70->135 77 conhost.exe 70->77         started        79 conhost.exe 70->79         started        81 conhost.exe 70->81         started        83 2 other processes 70->83 process17

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
veraport-g3-x64.exe11%ReversingLabs
veraport-g3-x64.exe6%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)21%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-0KS0O.tmp3%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-GTH4V.tmp21%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-K6R7B.tmp0%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)3%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-2TBQT.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-41JG5.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-L4QKL.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-M4IGQ.tmp3%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-QBQRE.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-ROPB8.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-UH4U1.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)3%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp3%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp5%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-046MP.tmp17%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-HFR1U.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-KK4A2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\mozillafinder.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\freebl3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-16653.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-2OT9H.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-5BP0J.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7B3IO.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7FRC5.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-B16R3.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-B2FVE.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-LFTRG.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-M27Q7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-MLEMF.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-S2732.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-SUBQN.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UNN4K.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UP14J.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\msvcr120.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nspr4.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nss3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssckbi.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssdbm3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssutil3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\plc4.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\plds4.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\smime3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\softokn3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\sqlite3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\ssl3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe (copy)17%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_shfoldr.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#0%Avira URL Cloudsafe
http://cacerts.?0%Avira URL Cloudsafe
http://www.cnnic.cn/download/cert/CNNICROOT.cer00%Avira URL Cloudsafe
http://veraport.wizvera.com/agreement.html0%Avira URL Cloudsafe
http://www.phreedom.org/md5)Digital0%Avira URL Cloudsafe
http://veraport.wizvera.com/agreement.html0%VirustotalBrowse
http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl00%Avira URL Cloudsafe
http://www.wizvera.com0%Avira URL Cloudsafe
http://www.phreedom.org/md5)Digital1%VirustotalBrowse
http://ocsp.suscerte.gob.ve0A0%Avira URL Cloudsafe
http://www.wizvera.comq0%Avira URL Cloudsafe
http://www.trustdst.com/certificates/policy/ACES-index.html00%Avira URL Cloudsafe
http://www.phreedom.org/md5)00%Avira URL Cloudsafe
http://www.cnnic.cn/cps/00%Avira URL Cloudsafe
http://www.wizvera.com10%Avira URL Cloudsafe
http://help.wizvera.com/help/faq/killprocess.htmlInvalid0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
    		high
    http://crl.chambersign.org/chambersroot.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
      		high
      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000003.00000003.1366663854.0000027F75467000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://www.startssl.com/policy.pdf04veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
          		high
          http://cacerts.?wpmsvcsetup.tmp, 0000003A.00000002.2277797196.000000000018E000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://www.chambersign.org1veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://www.diginotar.nl/cps/pkioverheid0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://www.pkioverheid.nl/policies/root-policy0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    http://repository.swisssign.com/0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://www.phreedom.org/md5)Digitalveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://ca.disig.sk/ca/crl/ca_disig.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000003.1366697984.0000027F75464000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366584199.0000027F7546E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366856980.0000027F7545A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366759407.0000027F75460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.suscerte.gob.ve/dpc0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://veraport.wizvera.com/agreement.htmlregsvr32.exe, 00000019.00000003.2011662722.0000000002B20000.00000004.00001000.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000003.00000002.1367463884.0000027F75444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.certplus.com/CRL/class2.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.disig.sk/ca/crl/ca_disig.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.cnnic.cn/download/cert/CNNICROOT.cer0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.startssl.com/policy.pdf0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sk.ee/cps/0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.bingmapsportal.comsvchost.exe, 00000003.00000002.1367336387.0000027F75413000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000003.1366697984.0000027F75464000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366856980.0000027F7545A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367445078.0000027F7543F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367548135.0000027F75465000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://policy.camerfirma.com0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.innosetup.com/veraport-g3-x64.exe, 00000000.00000003.1225437119.0000000002490000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.1226013726.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.1226843366.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wpmsvcsetup.exe, 00000039.00000003.2169563956.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.exe, 00000039.00000003.2167602292.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000000.2171907915.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, wpmsvcsetup.tmp.57.drfalse
                                                		high
                                                http://ocsp.pki.gva.es0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.phreedom.org/md5)veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://hg.mozilla.org/projects/nssveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.certicamara.com/dpc/0Zveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.pki.wellsfargo.com/wsprca.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000003.00000003.1366663854.0000027F75467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367389589.0000027F7542B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvssvchost.exe, 00000003.00000003.1366886256.0000027F75449000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366759407.0000027F75460000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crl.rootca1.amazontrust.com/rootca1.crl0certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079709919.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079519207.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077885682.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126601031.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126962215.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://ocsp.rootca1.amazontrust.com0:certutil.exe, 0000001F.00000003.2067763798.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2068589203.0000000001631000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2082291119.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079709919.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079519207.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2083467137.0000000001041000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077885682.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126601031.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2126962215.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2127849502.0000000001551000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000003.00000002.1367409060.0000027F75439000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://acedicom.edicomgroup.com/doc0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000003.00000002.1367531130.0000027F75459000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.wizvera.comwpmsvcsetup.tmp, 0000003A.00000003.2174550108.00000000032E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.wizvera.comqveraport-g3-x64.exe, 00000000.00000003.2330865244.0000000002301000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.2319748465.0000000002441000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.exe, 00000039.00000003.2280978841.0000000002451000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2274199239.0000000002451000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.catcert.net/verarrelveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.disig.sk/ca0fveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dynamic.tsvchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.e-szigno.hu/RootCA.crlveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.sk.ee/juur/crl/0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://crl.chambersign.org/chambersignroot.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crl.xrampsecurity.com/XGCA.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.quovadis.bm0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://ocsp.suscerte.gob.ve0Averaport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://crl3.digicecertutil.exe, 0000001F.00000003.2067647963.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2067193775.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.trustdst.com/certificates/policy/ACES-index.html0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.accv.es00veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.pkioverheid.nl/policies/root-policy-G20veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.netlock.net/docsveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.phreedom.org/md5)0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://crl.entrust.net/2048ca.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367463884.0000027F75442000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000003.00000003.1366937041.0000027F75430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://fedir.comsign.co.il/crl/ComSignCA.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.cnnic.cn/cps/0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://ocsp.entrust.net03veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000003.00000003.1366902104.0000027F75441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUveraport-g3-x64.exefalse
                                                                                                                            		high
                                                                                                                            http://cps.chambersign.org/cps/chambersroot.html0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.firmaprofesional.com/cps0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://crl.securetrust.com/SGCA.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crl.securetrust.com/STCA.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://mozilla.org/MPL/2.0/.is-7BT79.tmp.1.drfalse
                                                                                                                                      		high
                                                                                                                                      http://www.openssl.org/support/faq.htmlwpmsvc.exe, 00000041.00000002.2235018008.00000000009AA000.00000002.00000001.01000000.0000001D.sdmp, wpmsvc.exe, 00000041.00000000.2215159309.00000000009AA000.00000002.00000001.01000000.0000001D.sdmp, is-K6R7B.tmp.58.drfalse
                                                                                                                                        		high
                                                                                                                                        https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000003.00000002.1367389589.0000027F7542B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.wizvera.com1veraport-g3-x64.exe, 00000000.00000003.2330865244.0000000002301000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.exe, 00000039.00000003.2280978841.0000000002451000.00000004.00001000.00020000.00000000.sdmp, wpmsvcsetup.tmp, 0000003A.00000003.2274199239.0000000002451000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.e-szigno.hu/RootCA.crt0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.quovadisglobal.com/cps0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://x1.c.lencr.org/0certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133140189.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133572365.0000000001124000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2155254110.0000000001298000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2152522775.0000000001732000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2154605319.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2151037010.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2149001604.0000000001731000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://x1.i.lencr.org/0certutil.exe, 0000001F.00000002.2069974782.0000000001645000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.0000000001644000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001F.00000003.2065949267.000000000162F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2081288335.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2077330181.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079742279.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2079200331.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000023.00000003.2078362563.000000000103F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.0000000001562000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.0000000001567000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000003.2124724497.000000000154E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000031.00000002.2129699668.000000000156C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2135507810.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2136439734.000000000113B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133140189.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000033.00000003.2133572365.0000000001124000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2155254110.0000000001298000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2152522775.0000000001732000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2154605319.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2151037010.00000000012E0000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000037.00000003.2149001604.0000000001731000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://help.wizvera.com/help/faq/killprocess.htmlInvalidveraport20unloader.exe, 0000000B.00000003.1867927274.0000000000400000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.e-szigno.hu/SZSZ/0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ocsp.quovadisoffshore.com0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://ocsp.entrust.net0Dveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://cps.chambersign.org/cps/chambersignroot.html0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000003.00000003.1366663854.0000027F75467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367389589.0000027F7542B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000003.00000003.1366791753.0000027F75458000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://crl.entrust.net/server1.crl0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.accv.es/legislacion_c.htm0Uveraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000003.00000003.1366494034.0000027F75474000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://ocsp.accv.es0veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000003.00000003.1366697984.0000027F75464000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1367445078.0000027F7543F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://rca.e-szigno.hu/ocsp0-veraport-g3-x64.tmp, 00000001.00000003.2307286104.0000000005B60000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high

                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                              No contacted IP infos

                                                                                                                                                                              General Information

                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                              Analysis ID:1560644
                                                                                                                                                                              Start date and time:2024-11-22 04:17:58 +01:00
                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                              Overall analysis duration:0h 10m 54s
                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                              Report type:full
                                                                                                                                                                              Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                              Number of analysed new started processes analysed:78
                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                              Technologies:
                                                                                                                                                                              • HCA enabled
                                                                                                                                                                              • EGA enabled
                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                              Sample name:veraport-g3-x64.exe
                                                                                                                                                                              Detection:MAL
                                                                                                                                                                              Classification:mal54.phis.spyw.evad.winEXE@113/100@0/0
                                                                                                                                                                              EGA Information:
                                                                                                                                                                              • Successful, ratio: 33.3%
                                                                                                                                                                              HCA Information:Failed
                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                              Warnings

                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                              • Execution Graph export aborted for target certutil.exe, PID 2272 because there are no executed function
                                                                                                                                                                              • Execution Graph export aborted for target regsvr32.exe, PID 4952 because there are no executed function
                                                                                                                                                                              • Execution Graph export aborted for target veraport20unloader.exe, PID 3460 because there are no executed function
                                                                                                                                                                              • Execution Graph export aborted for target wizcertutil.exe, PID 1920 because there are no executed function
                                                                                                                                                                              • Execution Graph export aborted for target wizveraregsvr.exe, PID 3916 because there are no executed function
                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                              Simulations

                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                              22:19:36API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                              IPs

                                                                                                                                                                              No context

                                                                                                                                                                              Domains

                                                                                                                                                                              No context

                                                                                                                                                                              ASNs

                                                                                                                                                                              No context

                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                              No context

                                                                                                                                                                              Dropped Files

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-0KS0O.tmpveraport-g3-x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                veraport-g3-x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  veraport-g3-x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    https://bizbank.shinhan.com/sw/wizvera/veraport/install20/install_eng.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      sass.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        veraport-g3s-x64-sha2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)veraport-g3-x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            veraport-g3-x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              veraport-g3-x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                https://bizbank.shinhan.com/sw/wizvera/veraport/install20/install_eng.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  sass.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    veraport-g3s-x64-sha2.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                      C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):4758688
                                                                                                                                                                                                      Entropy (8bit):6.245945172384072
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:49152:4xvLijESMeeBXm5CK5s89n0X1nFRWX4rsht6FtFJOaKFeH:4xTLveeBXmMK5syn0Fn/WRht6FtOaKUH
                                                                                                                                                                                                      MD5:50E4842EA92F74B2C82426FF562E2CCD
                                                                                                                                                                                                      SHA1:77791214B5DD1E05606895983E086AEF6CB56E37
                                                                                                                                                                                                      SHA-256:1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
                                                                                                                                                                                                      SHA-512:A8514B907721E2B55EF5EBFEE37C9551A313951E95B5AFB8576FB3D4EF9E5F35AC94BBEAB69FE7A4BEE4704CCC7C8657AA5FE02FF21E2B64B60B826184474DDB
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                      • Filename: veraport-g3-x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: veraport-g3-x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: veraport-g3-x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: sass.zip, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: veraport-g3s-x64-sha2.exe, Detection: malicious, Browse
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S...........0M.....0M........,....]......K......L......L......B......\......Y....Rich...................PE..L.....e.................N...0......)........`....@...........................H.....J3I...@..........................................P..............PpH.P,......................................................................@....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data...._......."..................@....rsrc........P......................@..@.reloc...y...`...z..................@..B.idata..............................@....themida..D.......D.................`...................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-0KS0O.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1193161
                                                                                                                                                                                                      Entropy (8bit):6.371245482388537
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:Y4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyxg:9T90guMXEdqwHkUjr
                                                                                                                                                                                                      MD5:AAFDCB24246D5018716BA7FE24488125
                                                                                                                                                                                                      SHA1:FE84A2480A9561A63A9DABC5C1C3A2C3EE082BC7
                                                                                                                                                                                                      SHA-256:4AEB5405CCF74214098229712CDF6157A4783B51FC42086408A5D0D9169DE41E
                                                                                                                                                                                                      SHA-512:74C053460B769FAB296D5EC96F4EBC6B042ECBD44EAA6718BAB9BE460BB3227B15E9F5109973B318C8A59EAA645BC42CD0769FF7A8EC2C18612494E10715570F
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                      • Filename: veraport-g3-x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: veraport-g3-x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: veraport-g3-x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: sass.zip, Detection: malicious, Browse
                                                                                                                                                                                                      • Filename: veraport-g3s-x64-sha2.exe, Detection: malicious, Browse
                                                                                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-GTH4V.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):4758688
                                                                                                                                                                                                      Entropy (8bit):6.245945172384072
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:49152:4xvLijESMeeBXm5CK5s89n0X1nFRWX4rsht6FtFJOaKFeH:4xTLveeBXmMK5syn0Fn/WRht6FtOaKUH
                                                                                                                                                                                                      MD5:50E4842EA92F74B2C82426FF562E2CCD
                                                                                                                                                                                                      SHA1:77791214B5DD1E05606895983E086AEF6CB56E37
                                                                                                                                                                                                      SHA-256:1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
                                                                                                                                                                                                      SHA-512:A8514B907721E2B55EF5EBFEE37C9551A313951E95B5AFB8576FB3D4EF9E5F35AC94BBEAB69FE7A4BEE4704CCC7C8657AA5FE02FF21E2B64B60B826184474DDB
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S...........0M.....0M........,....]......K......L......L......B......\......Y....Rich...................PE..L.....e.................N...0......)........`....@...........................H.....J3I...@..........................................P..............PpH.P,......................................................................@....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data...._......."..................@....rsrc........P......................@..@.reloc...y...`...z..................@..B.idata..............................@....themida..D.......D.................`...................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-K6R7B.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):5647008
                                                                                                                                                                                                      Entropy (8bit):6.337662956974294
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:Wq4jd67cvZUPTsYof+yJw6nWWkG82uNWFZEGve:ad5Kwg7GTuNEaWe
                                                                                                                                                                                                      MD5:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                                                                      SHA1:FCB11C73896ECF7529AEFD0D1D9E018FF033F01E
                                                                                                                                                                                                      SHA-256:89F20D64BB5F74375334BED6C6D97EB6A691EA2FA6F5B62138D91DD6E064C3F3
                                                                                                                                                                                                      SHA-512:57FC93E1BBE9B2D5B56E18F5181A551CE5329C336CA214ECBD3A911B22BB418CC573F3EA719B2F7D77E6E7DA47F50E2C25C6A0CD1E9CB192B7D5DDC5C1A33DC6
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....wF..wF..wF!q.F..wF!q.F..wF..vFy.wF...F#.wF...F+.wF...F..wF...F..wF...F'.wF...F..wF...F..wFRich..wF........PE..L.....e..........................................@..........................pV......pV...@.................................a...L.... ..............P.U.P,......................................................................@....................text.............................. ..`.rdata..............................@..@.data...x....@...v..."..............@....rsrc........ ......................@..@.reloc..0o...0...p..................@..B.idata..............................@....themida..D.......D.................`...........................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.dat

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:InnoSetup Log WIZVERA Process Manager {8941A397-4065-4F41-92CE-0EB610846EED}, version 0x418, 5471 bytes, 287400\37\user\376\, C:\Program Files (x86)\Wizvera\Common\wpms
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):5471
                                                                                                                                                                                                      Entropy (8bit):4.026841747786812
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:WgkZ4XyHynQy6ayGyG+4wC1TkTIfc1AGlEDA4MZAe2LI/zktLT9e/hVHHhv:WnNSN6jfG+9If7fDSmPt4VHx
                                                                                                                                                                                                      MD5:0772257E1EC6F07B1983BF98C45232CD
                                                                                                                                                                                                      SHA1:FE2005369903A64BFDA8C1847543B58E28A0FD33
                                                                                                                                                                                                      SHA-256:5B6DC02E76A2C057479FA9305133817E3B4F3CE5AFDEB89A343DCD0A0E8A6B61
                                                                                                                                                                                                      SHA-512:E043FB5C2EAA38CB72D1917A20C0BC467C8399A5F68D20B19C18110ADBE4C01A93FBFE0FA1F74D228CDFF3F8C22C9CFE21E2C1DECB51F07AB73313E29218EDA0
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:Inno Setup Uninstall Log (b)....................................{8941A397-4065-4F41-92CE-0EB610846EED}..........................................................................................WIZVERA Process Manager................................................................................................................._...5...............................................................................................................HF.6..........~................2.8.7.4.0.0......c.a.l.i......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.W.i.z.v.e.r.a.\.C.o.m.m.o.n.\.w.p.m.s.v.c....................,.. ..............IFPS.... ...............................................................................................................................................................BOOLEAN..............TEXECWAIT.........TUNINSTALLSTEP.........TSETUPSTEP.....$...........!MAIN....-1.%...........UPDATECHECK....27.2...........SVC_DELETE....-1..EXPANDCONSTANT........EXEC............$..

                                                                                                                                                                                                      C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1193161
                                                                                                                                                                                                      Entropy (8bit):6.371245482388537
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:Y4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyxg:9T90guMXEdqwHkUjr
                                                                                                                                                                                                      MD5:AAFDCB24246D5018716BA7FE24488125
                                                                                                                                                                                                      SHA1:FE84A2480A9561A63A9DABC5C1C3A2C3EE082BC7
                                                                                                                                                                                                      SHA-256:4AEB5405CCF74214098229712CDF6157A4783B51FC42086408A5D0D9169DE41E
                                                                                                                                                                                                      SHA-512:74C053460B769FAB296D5EC96F4EBC6B042ECBD44EAA6718BAB9BE460BB3227B15E9F5109973B318C8A59EAA645BC42CD0769FF7A8EC2C18612494E10715570F
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):5647008
                                                                                                                                                                                                      Entropy (8bit):6.337662956974294
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:Wq4jd67cvZUPTsYof+yJw6nWWkG82uNWFZEGve:ad5Kwg7GTuNEaWe
                                                                                                                                                                                                      MD5:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                                                                      SHA1:FCB11C73896ECF7529AEFD0D1D9E018FF033F01E
                                                                                                                                                                                                      SHA-256:89F20D64BB5F74375334BED6C6D97EB6A691EA2FA6F5B62138D91DD6E064C3F3
                                                                                                                                                                                                      SHA-512:57FC93E1BBE9B2D5B56E18F5181A551CE5329C336CA214ECBD3A911B22BB418CC573F3EA719B2F7D77E6E7DA47F50E2C25C6A0CD1E9CB192B7D5DDC5C1A33DC6
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....wF..wF..wF!q.F..wF!q.F..wF..vFy.wF...F#.wF...F+.wF...F..wF...F..wF...F'.wF...F..wF...F..wFRich..wF........PE..L.....e..........................................@..........................pV......pV...@.................................a...L.... ..............P.U.P,......................................................................@....................text.............................. ..`.rdata..............................@..@.data...x....@...v..."..............@....rsrc........ ......................@..@.reloc..0o...0...p..................@..B.idata..............................@....themida..D.......D.................`...........................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\is-2TBQT.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):235240
                                                                                                                                                                                                      Entropy (8bit):6.053292853230514
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:etvjHwoQlaxnvqSzAZZkmvqztQ+i5QJ1005CQ6RJdbk5t5i8Gnlo80:o7Hwz2nvtAZQztQVQJt516rdQC8G8
                                                                                                                                                                                                      MD5:AA4EF1C182A79F24B519167C41FAB32E
                                                                                                                                                                                                      SHA1:D87210DEBD30250C8D9C3091D2A7ED1A3C662D1B
                                                                                                                                                                                                      SHA-256:5F196219171FB668B4022ACBE3E1D58A90D202D0622D6EBCD67D224AD9ED58DB
                                                                                                                                                                                                      SHA-512:2EA4A65126B44A1DBD467297D0D769F6AAFD7E9D084B79AF8BC967F0AC382A766B0F6940D5DF15101F585EE2C07E75A40D87D6A0B1C987C863FB6DF50A933C07
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.#Cq.M.q.M.q.M.V. .v.M.V.6.d.M.q.L.p.M.x.....M.x...{.M.x.....M.o...r.M.x...s.M.o...p.M.x...p.M.Richq.M.................PE..d.....V.........."..........@.......%.........@....................................,J....@.............................................................l.......L&...b...4...........8...............................................0..........@....................text............................... ..`.rdata.......0......."..............@..@.data...p........*..................@....pdata..L&.......(..................@..@.rsrc...l............6..............@..@.reloc..0%.......&...<..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\is-41JG5.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):279904
                                                                                                                                                                                                      Entropy (8bit):6.156710302086518
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:unlDl8nN7c/XNJetFi1HvJuXIJX0BtJ15f7ZplD7B0a1gn:ulDcc/itFwvJuIXoJ15tel
                                                                                                                                                                                                      MD5:13AAD16F4791D1080D10E6E8B907734C
                                                                                                                                                                                                      SHA1:F5D01FEB67C081D9663A74B0A2EEAF17275E6B42
                                                                                                                                                                                                      SHA-256:9E41501AA193F96D46C6E2CA946B7B5784907B899665A5C9E35D9D2B0DE8DB67
                                                                                                                                                                                                      SHA-512:FBA91F7F3C5796DD7492A303E575895D169CBDC677551F64CF230329DFAE87324A37FDD559E73E60C073854B6F4D73A94D5CA8463E1D5D2824612031C71D6754
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{<.^.R.^.R.^.R..U..].R.Wb.. .R.Wb..T.R.@H..Z.R.Wb....R.y.?.V.R.y.).O.R.^.S...R.Wb..S.R.Wb.._.R.@H.._.R.Wb.._.R.Rich^.R.........PE..d.....Uf.........." .........X..............................................p...................................................... .......(........P....... ...+......`)...`..@.......................................................0............................text............................... ..`.rdata..............................@..@.data....R..........................@....pdata...+... ...,..................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\is-L4QKL.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):8082112
                                                                                                                                                                                                      Entropy (8bit):6.699109752405599
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:LA4PMK1QlhGtxaNIgU4rIFQ8AWKxrE8xuX+QbwcA0tV73qTSqsZOY14:0K1HiIRZ+U30uXPUcA0tV1qsZOc4
                                                                                                                                                                                                      MD5:B9A9FA47A5A1056917219012C311889B
                                                                                                                                                                                                      SHA1:714D5C04E1CCCB5F37176B8AEAC00CA11B87E29D
                                                                                                                                                                                                      SHA-256:72AFD216BCDE8B79977BA6F078386FCBDEB924799FCFD6262BD36B0C529260B1
                                                                                                                                                                                                      SHA-512:6C2B2C49EDCE3830B98407D389734E0C7C568699CFF1DABF00269DA29ED9F8B2A955BD32B95797FF39EF3BFB1E0FB8645F000CE9F39618701A4689CC613AEC10
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.~.n.~.n.~.Ii..o.~.Ii..`.~.Ii..M.~.n.....~....l.~.g...e.~.g..~.~.g....~.p...f.~.g....~.p..o.~.g..o.~.Richn.~.................PE..d...N.Uf..........#.......(..<Y.....Z.........@.............................P........|......................................................A.......P......(0......`){.`)....................................................................7.@................... ~.(......z.................. ..` .....0(......~..............@..@ .{....8..*...>..............@... ......9......h..............@..@ ..E..`<.....................@..@.idata.......@......................@....rsrc........P......................@..@.themida..`..p....`.. ..............`...........................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\is-M4IGQ.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1199817
                                                                                                                                                                                                      Entropy (8bit):6.371990801910363
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:cKbqslNoiGO+h84C6f8HSCNFfoJMpNOErZTOzu5xTxyt6:zwY6fULNntNX5
                                                                                                                                                                                                      MD5:61431AA6633534DEBB7617FB54C396F0
                                                                                                                                                                                                      SHA1:AB23DEAF03AE2B470F1643C9F43F3C6A11CD0EDC
                                                                                                                                                                                                      SHA-256:E16D30A47BDF0CC246CD22506B8DDC9210086EA0BA9E080568BC934ECECBAA4B
                                                                                                                                                                                                      SHA-512:A8C7E94167ABEDBCA1340D227A491CD879CBAAE74633CDEA7A3865012329E28A08D2E368C4DBE341510A5323F7E827474F921D08EB1057CA65BCB00C7B65F293
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Z..V..........................................@.......................................@......@..............................@8... ...............................................................................................................text............................... ..`.itext.. ........................... ..`.data...h0.......2..................@....bss.....a...P.......&...................idata..@8.......:...&..............@....tls....<............`...................rdata...............`..............@..@.rsrc........ .......b..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\is-QBQRE.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):7671488
                                                                                                                                                                                                      Entropy (8bit):6.629886699797603
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:3ww9fmOCkWMkureUiWb9TcSG8hqu8lPjK+FmcWt:3LrCSkuqnWb9TcAhPSVQcM
                                                                                                                                                                                                      MD5:FEB822E7254B73E0D4615BE26A32917F
                                                                                                                                                                                                      SHA1:90CA6E6092AAC5382F9254F7B95BFB53289CF170
                                                                                                                                                                                                      SHA-256:06A6FCF6918C40B410FDC0497D4D1CFB19E137AF67AF087C7D2828F5F5F8B6A1
                                                                                                                                                                                                      SHA-512:541A762145D6AFAE3138E18A8D81A2D6BBC7C6EBFA51E8A635A7E8AEE227D4CFF4FADE61A025F85B9E32BF68D8F95E6472A9F1C732CD852599598E9D3A7B8BD3
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.=^T.n^T.n^T.ny..nTT.ny..n}T.n^T.n.V.n..6nWT.nW,#nMW.nW,5nST.nW,$n.T.n@.$nVT.nW,*n}T.n@.4n_T.nW,1n_T.nRich^T.n........................PE..d...~.Uf.........."......D...h......s.9........@.....................................^u...@...................................................-.\.....-.....$p......`.t.`)....................................................................).@................... .C.......................... ..` .....`......................@..@ 86...P)..$...N..............@... ......*......r..............@..@ d_...p,.. ...x..............@..@ x.....,..$..................@..B.idata........-.....................@....rsrc.........-.....................@..@.themida..`...-...`.................`...................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\is-ROPB8.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):8052928
                                                                                                                                                                                                      Entropy (8bit):6.741914264599528
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:2UIqCt+u3L0ZxxAXO/uYKpo7PSLr3DHN5T+ZL:2h+m6eAQpmKjp5SZL
                                                                                                                                                                                                      MD5:EDA990A81A5A5F6DF3162022720A06D2
                                                                                                                                                                                                      SHA1:068523A58151F3854D0CEBD18D86F57BA894C663
                                                                                                                                                                                                      SHA-256:693348FA82DB45B66B8547EA27243FB07E22CA4B7F73CF9BC91500E11999D085
                                                                                                                                                                                                      SHA-512:C0E70518E962DF79607E159BE998104DA0C26B92FE79FB2B86119D379EE24D494C6EAF2DF1777EEDFEA5A3EEBAA5B55AF92722946F1A62DA3FE65B3BF4837140
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q)..5Hq.5Hq.5Hq....4Hq.....%Hq......Hq.5Hp..Jq....7Hq.<0.%Hq.+...2Hq.<0..XHq.<0...Hq.<0.9Kq.<0.4Hq.+..4Hq.<0..4Hq.Rich5Hq.........................PE..d...9.Uf.........." ......#..8........<...................................... ......6n{...............................................6.......6.\.....7.F...t..Pn..`.z.`)..................................................................H.1.@................... 8.#......T.................. ..` .$....#..^...X..............@..@ Hv....2..*..................@... 8n....3..T..................@..@ `&....5......4..............@..@ 6.... 6..$...D..............@..B.edata........6......h..............@..@.idata........6......j..............@....rsrc.........7......p..............@..@.themida..d.. 7...d.................`...........................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\is-UH4U1.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6634688
                                                                                                                                                                                                      Entropy (8bit):6.301626651290575
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:wmUHFesQOQfyhqjNZfjVuo95zBx2GQz4sni:wmme9OQ7jVuKDYGCRi
                                                                                                                                                                                                      MD5:D64EF8F62E694FC68A53CF8CA44CB6FB
                                                                                                                                                                                                      SHA1:67B8FEF4496A6C75300B3FCE6641FD5C37B38743
                                                                                                                                                                                                      SHA-256:2C988B1FBB5A1FD4C8C6745DFBA4E9F54715DB32BD4AC9DBB157316C83B20833
                                                                                                                                                                                                      SHA-512:251531483999B13613E036E290D67BB1A7C5829A3CB9742AE9CD1D1A782691AFECE80031772862BEB6C58DEA6C11924E09067EF03D972D41C6EF0AE701B53E2D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A..}...}...}.......}.......}...|...}.......}.......}.......}.......}.......}.......}.......}.Rich..}.........................PE..d...2.Uf..........#..........4.................@..............................j......e.....................................................d............_..p.j.pt..`.e.`)......................................................................@................... ............................ ..` ............................@..@ ............................@... Xt...p...@...(..............@..@ .........>...h..............@..@.idata..............................@....rsrc....`.......`..................@..@.themida..`.......`.................`...................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):279904
                                                                                                                                                                                                      Entropy (8bit):6.156710302086518
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:unlDl8nN7c/XNJetFi1HvJuXIJX0BtJ15f7ZplD7B0a1gn:ulDcc/itFwvJuIXoJ15tel
                                                                                                                                                                                                      MD5:13AAD16F4791D1080D10E6E8B907734C
                                                                                                                                                                                                      SHA1:F5D01FEB67C081D9663A74B0A2EEAF17275E6B42
                                                                                                                                                                                                      SHA-256:9E41501AA193F96D46C6E2CA946B7B5784907B899665A5C9E35D9D2B0DE8DB67
                                                                                                                                                                                                      SHA-512:FBA91F7F3C5796DD7492A303E575895D169CBDC677551F64CF230329DFAE87324A37FDD559E73E60C073854B6F4D73A94D5CA8463E1D5D2824612031C71D6754
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{<.^.R.^.R.^.R..U..].R.Wb.. .R.Wb..T.R.@H..Z.R.Wb....R.y.?.V.R.y.).O.R.^.S...R.Wb..S.R.Wb.._.R.@H.._.R.Wb.._.R.Rich^.R.........PE..d.....Uf.........." .........X..............................................p...................................................... .......(........P....... ...+......`)...`..@.......................................................0............................text............................... ..`.rdata..............................@..@.data....R..........................@....pdata...+... ...,..................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\unins000.dat

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:InnoSetup Log 64-bit Veraport-x64 {2D992E01-604B-472C-A883-1DDA105A24D5}, version 0x418, 8634 bytes, 287400\37\user\376\, C:\Program Files\Wizvera\Veraport20\376\37
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):8634
                                                                                                                                                                                                      Entropy (8bit):3.9860577443618572
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:Ywkv4d61lqs8UJ4Qv+Qhz+f7fk2ZWYYYYAXgXlXLZHY:lA4d61lqs8UJ4gsf78IWYYYYAwVNHY
                                                                                                                                                                                                      MD5:402219EA736E3B2EEC49C5E67F4152BC
                                                                                                                                                                                                      SHA1:AE3DCFA4B0642156CE269BD1D6D97CBD8E45AC93
                                                                                                                                                                                                      SHA-256:0CCA43E6797980F40765D719571EB41E770D17CB60BD99FB77B63A672764F591
                                                                                                                                                                                                      SHA-512:2CCF47B9A2A4BBFFB535850421155E4AE54D72DD73DDD48BD634C91DE190F6055E7E8C78C59DA6E1BCD12D35F50609A6F28DAB42647730E11557DEE1ABA9FFA1
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:Inno Setup Uninstall Log (b) 64-bit.............................{2D992E01-604B-472C-A883-1DDA105A24D5}..........................................................................................Veraport-x64........................................................................................................................$....!..%............................................................................................................................n.................2.8.7.4.0.0......c.a.l.i......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.z.v.e.r.a.\.V.e.r.a.p.o.r.t.2.0..................+.B.. .....B....J...IFPS.... ...............................................................................................................................................................BOOLEAN..............TEXECWAIT.........TSETUPSTEP.........TUNINSTALLSTEP.....$...........!MAIN....-1.%...........SVC_START....-1..EXPANDCONSTANT........EXEC........................SVC_STOP....-1.............CURSTEPCHANGE

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1199817
                                                                                                                                                                                                      Entropy (8bit):6.371990801910363
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:cKbqslNoiGO+h84C6f8HSCNFfoJMpNOErZTOzu5xTxyt6:zwY6fULNntNX5
                                                                                                                                                                                                      MD5:61431AA6633534DEBB7617FB54C396F0
                                                                                                                                                                                                      SHA1:AB23DEAF03AE2B470F1643C9F43F3C6A11CD0EDC
                                                                                                                                                                                                      SHA-256:E16D30A47BDF0CC246CD22506B8DDC9210086EA0BA9E080568BC934ECECBAA4B
                                                                                                                                                                                                      SHA-512:A8C7E94167ABEDBCA1340D227A491CD879CBAAE74633CDEA7A3865012329E28A08D2E368C4DBE341510A5323F7E827474F921D08EB1057CA65BCB00C7B65F293
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Z..V..........................................@.......................................@......@..............................@8... ...............................................................................................................text............................... ..`.itext.. ........................... ..`.data...h0.......2..................@....bss.....a...P.......&...................idata..@8.......:...&..............@....tls....<............`...................rdata...............`..............@..@.rsrc........ .......b..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):7671488
                                                                                                                                                                                                      Entropy (8bit):6.629886699797603
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:3ww9fmOCkWMkureUiWb9TcSG8hqu8lPjK+FmcWt:3LrCSkuqnWb9TcAhPSVQcM
                                                                                                                                                                                                      MD5:FEB822E7254B73E0D4615BE26A32917F
                                                                                                                                                                                                      SHA1:90CA6E6092AAC5382F9254F7B95BFB53289CF170
                                                                                                                                                                                                      SHA-256:06A6FCF6918C40B410FDC0497D4D1CFB19E137AF67AF087C7D2828F5F5F8B6A1
                                                                                                                                                                                                      SHA-512:541A762145D6AFAE3138E18A8D81A2D6BBC7C6EBFA51E8A635A7E8AEE227D4CFF4FADE61A025F85B9E32BF68D8F95E6472A9F1C732CD852599598E9D3A7B8BD3
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.=^T.n^T.n^T.ny..nTT.ny..n}T.n^T.n.V.n..6nWT.nW,#nMW.nW,5nST.nW,$n.T.n@.$nVT.nW,*n}T.n@.4n_T.nW,1n_T.nRich^T.n........................PE..d...~.Uf.........."......D...h......s.9........@.....................................^u...@...................................................-.\.....-.....$p......`.t.`)....................................................................).@................... .C.......................... ..` .....`......................@..@ 86...P)..$...N..............@... ......*......r..............@..@ d_...p,.. ...x..............@..@ x.....,..$..................@..B.idata........-.....................@....rsrc.........-.....................@..@.themida..`...-...`.................`...................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):8052928
                                                                                                                                                                                                      Entropy (8bit):6.741914264599528
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:2UIqCt+u3L0ZxxAXO/uYKpo7PSLr3DHN5T+ZL:2h+m6eAQpmKjp5SZL
                                                                                                                                                                                                      MD5:EDA990A81A5A5F6DF3162022720A06D2
                                                                                                                                                                                                      SHA1:068523A58151F3854D0CEBD18D86F57BA894C663
                                                                                                                                                                                                      SHA-256:693348FA82DB45B66B8547EA27243FB07E22CA4B7F73CF9BC91500E11999D085
                                                                                                                                                                                                      SHA-512:C0E70518E962DF79607E159BE998104DA0C26B92FE79FB2B86119D379EE24D494C6EAF2DF1777EEDFEA5A3EEBAA5B55AF92722946F1A62DA3FE65B3BF4837140
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q)..5Hq.5Hq.5Hq....4Hq.....%Hq......Hq.5Hp..Jq....7Hq.<0.%Hq.+...2Hq.<0..XHq.<0...Hq.<0.9Kq.<0.4Hq.+..4Hq.<0..4Hq.Rich5Hq.........................PE..d...9.Uf.........." ......#..8........<...................................... ......6n{...............................................6.......6.\.....7.F...t..Pn..`.z.`)..................................................................H.1.@................... 8.#......T.................. ..` .$....#..^...X..............@..@ Hv....2..*..................@... 8n....3..T..................@..@ `&....5......4..............@..@ 6.... 6..$...D..............@..B.edata........6......h..............@..@.idata........6......j..............@....rsrc.........7......p..............@..@.themida..d.. 7...d.................`...........................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6634688
                                                                                                                                                                                                      Entropy (8bit):6.301626651290575
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:wmUHFesQOQfyhqjNZfjVuo95zBx2GQz4sni:wmme9OQ7jVuKDYGCRi
                                                                                                                                                                                                      MD5:D64EF8F62E694FC68A53CF8CA44CB6FB
                                                                                                                                                                                                      SHA1:67B8FEF4496A6C75300B3FCE6641FD5C37B38743
                                                                                                                                                                                                      SHA-256:2C988B1FBB5A1FD4C8C6745DFBA4E9F54715DB32BD4AC9DBB157316C83B20833
                                                                                                                                                                                                      SHA-512:251531483999B13613E036E290D67BB1A7C5829A3CB9742AE9CD1D1A782691AFECE80031772862BEB6C58DEA6C11924E09067EF03D972D41C6EF0AE701B53E2D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A..}...}...}.......}.......}...|...}.......}.......}.......}.......}.......}.......}.......}.Rich..}.........................PE..d...2.Uf..........#..........4.................@..............................j......e.....................................................d............_..p.j.pt..`.e.`)......................................................................@................... ............................ ..` ............................@..@ ............................@... Xt...p...@...(..............@..@ .........>...h..............@..@.idata..............................@....rsrc....`.......`..................@..@.themida..`.......`.................`...................................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):8082112
                                                                                                                                                                                                      Entropy (8bit):6.699109752405599
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:LA4PMK1QlhGtxaNIgU4rIFQ8AWKxrE8xuX+QbwcA0tV73qTSqsZOY14:0K1HiIRZ+U30uXPUcA0tV1qsZOc4
                                                                                                                                                                                                      MD5:B9A9FA47A5A1056917219012C311889B
                                                                                                                                                                                                      SHA1:714D5C04E1CCCB5F37176B8AEAC00CA11B87E29D
                                                                                                                                                                                                      SHA-256:72AFD216BCDE8B79977BA6F078386FCBDEB924799FCFD6262BD36B0C529260B1
                                                                                                                                                                                                      SHA-512:6C2B2C49EDCE3830B98407D389734E0C7C568699CFF1DABF00269DA29ED9F8B2A955BD32B95797FF39EF3BFB1E0FB8645F000CE9F39618701A4689CC613AEC10
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n.~.n.~.n.~.Ii..o.~.Ii..`.~.Ii..M.~.n.....~....l.~.g...e.~.g..~.~.g....~.p...f.~.g....~.p..o.~.g..o.~.Richn.~.................PE..d...N.Uf..........#.......(..<Y.....Z.........@.............................P........|......................................................A.......P......(0......`){.`)....................................................................7.@................... ~.(......z.................. ..` .....0(......~..............@..@ .{....8..*...>..............@... ......9......h..............@..@ ..E..`<.....................@..@.idata.......@......................@....rsrc........P......................@..@.themida..`..p....`.. ..............`...........................................................................................................................................................

                                                                                                                                                                                                      C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):235240
                                                                                                                                                                                                      Entropy (8bit):6.053292853230514
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:etvjHwoQlaxnvqSzAZZkmvqztQ+i5QJ1005CQ6RJdbk5t5i8Gnlo80:o7Hwz2nvtAZQztQVQJt516rdQC8G8
                                                                                                                                                                                                      MD5:AA4EF1C182A79F24B519167C41FAB32E
                                                                                                                                                                                                      SHA1:D87210DEBD30250C8D9C3091D2A7ED1A3C662D1B
                                                                                                                                                                                                      SHA-256:5F196219171FB668B4022ACBE3E1D58A90D202D0622D6EBCD67D224AD9ED58DB
                                                                                                                                                                                                      SHA-512:2EA4A65126B44A1DBD467297D0D769F6AAFD7E9D084B79AF8BC967F0AC382A766B0F6940D5DF15101F585EE2C07E75A40D87D6A0B1C987C863FB6DF50A933C07
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.#Cq.M.q.M.q.M.V. .v.M.V.6.d.M.q.L.p.M.x.....M.x...{.M.x.....M.o...r.M.x...s.M.o...p.M.x...p.M.Richq.M.................PE..d.....V.........."..........@.......%.........@....................................,J....@.............................................................l.......L&...b...4...........8...............................................0..........@....................text............................... ..`.rdata.......0......."..............@..@.data...p........*..................@....pdata..L&.......(..................@..@.rsrc...l............6..............@..@.reloc..0%.......&...<..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\ProgramData\Wizvera\Veraport20\veraport.dat

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe
                                                                                                                                                                                                      File Type:OpenPGP Public Key
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):3152
                                                                                                                                                                                                      Entropy (8bit):7.947931245767123
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:+RfKD9LcKQdSaDRtyvQNSWKp3HUbZbHu6TPq:tDDwfAQrKp3U8T
                                                                                                                                                                                                      MD5:286DA169552BEBD9C4C9F2026E975B63
                                                                                                                                                                                                      SHA1:D0058A08D40B8257568DD5C5871EDA7B4AA27DCD
                                                                                                                                                                                                      SHA-256:04741DECBBB20535414B36846B2CD4B763032650010706E880B2393D66DCE96C
                                                                                                                                                                                                      SHA-512:D1D18D5C0CAB88BFA426C983CF7BBA2DA2A572C15C21A059B77F26B5607B38E4DA29E42EF67E5E1B76D9E17B80FD98183584EC6727C22C200CCC27077A130BA0
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:....._,_>JC...J..S&........|(T..:...iY.w...y..\\.tc..A.1...,M..sT)nu.C...@....aX._./..9c.O..&G..0....W....x...u....<.2.1.^... .....^..m.a6u....H...#...w....7..{....(Q... x~.$.....K.1.J..h...D....*57._O.........s.x..{...A..G...d..+.2..^.n...!.V..x..z.*;..E.,..F7[>!3......Z..hAA......|1`.FWt....*p.7..,...+.8e......U..&.......>a.....f45..?........\...Y..a..$...Q.vV.J......=K..o.9=.....Er..g.2..B.>,X8.C.FO...&..y{.D.E9..E.......s........m)..F.......J..._...`{z.R....T.. .M]<.#.j..}.F....9_.H`..+<....1#...x.l.&..v.*@G.....,.....o->-'.........6.b......Y-.2.E.~.Fc`,}.I^.>...+.5.0..3...h.r.5..v..|mW...w.:....z.5j.-Gi....@..,.S.vHO...aom\.f.G+F.....6(\9n..?......./...3.....T....LA.4~.CD..J..P.L.....C.W..E.&.?.iF..P.6Z..x......B.Q...$=..[.J...."E.G42cX...._. .....EC.....j.&.....K.U.X."...5.S..F..RN......_............X.8..(...|.nq'..MS...@.F...YFg7.zW.\.1 W..Q..).^...1..i.)..WL............_J. Gr..=.Da....H..kS6.;T.M.|.qx....s;.8s...T.......5..../.

                                                                                                                                                                                                      C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe
                                                                                                                                                                                                      File Type:PEM certificate
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1164
                                                                                                                                                                                                      Entropy (8bit):5.866755498272622
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:LrcsTUXTHQ0V6XTHQtE0k7MX5pE302o9ajY0yfn7WbglU/ymjOVZyxxs7AmukTpH:LrcsgXE7XELk7kMQajYTPqwU6YOVZy3Y
                                                                                                                                                                                                      MD5:372FD17A3653320E837450BD24ECA2A2
                                                                                                                                                                                                      SHA1:5230D3DC779E835C47667AA8058DFE0C3C43B257
                                                                                                                                                                                                      SHA-256:FDD4C9E49C6D195D85C2A4F093A3DB6A3791285DB7D9A67EAE3165CFABEC43ED
                                                                                                                                                                                                      SHA-512:0DA9D7589D8EB30588F2E0A275B0B2FB11EDBF878417D4AF6533A741CF4912D65FB1327879336B7312A4F2114F492EDD20C6E4030F17749280C928C70E6AEAB4
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:-----BEGIN CERTIFICATE-----.MIIDLzCCAhegAwIBAgIJAK26kka+7+rbMA0GCSqGSIb3DQEBCwUAMDUxCzAJBgNV.BAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRQwEgYDVQQDDAtWZXJhcG9ydC1DQTAe.Fw0yNDExMjIwMzE5NTJaFw00NDExMTgwMzE5NTJaMDUxCzAJBgNVBAYTAktSMRAw.DgYDVQQKDAdXSVpWRVJBMRQwEgYDVQQDDAtWZXJhcG9ydC1DQTCCASIwDQYJKoZI.hvcNAQEBBQADggEPADCCAQoCggEBALtLP6EcJKwbKkjwuv4aqU9xBgMwf02olI76.sPOEfvFQvDaNR3KNRJsM+VEkiSzLcB+DFMM1C837b01++BKLrLU3P/V2XgBveV+7.wGhdoaRYN86YlROuzg1HrZzUYSruHcBrfdWAuovFX/3Sl1hRGUG7Pk1p/TMPNfWW.r5EIttPG8zDwB9AjYRf+f7MwNxyxREBD1/wPoQ306fyeuxErcUFZVLHt4u5ruA2E.dLLq5M741F50X+7UQjTTi4qhNJlKrYUwRi5iNpNfCID+T0cQEJ7fXd6uE8+r2RxI.UtvAB28J+zcWxwl9kk0v3kSdpr0di6bVfVmY4/BoCjgVrjtIqDECAwEAAaNCMEAw.DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP3bPGfN.ybLZDAQ1+uUeOuFJu76vMA0GCSqGSIb3DQEBCwUAA4IBAQB9hri9ZgTeyu0r9TKQ.iz252sGRrArYJAKqGGEkxbu+4nRAZqPY3VH1+DW7NyscY4+R5xEMSoWofkR6Za0v.ngIcWV/cyXtQZRLmgoAWClg7Ic8o7Oh+QcfOjjJ+440tf5oeUA1lI+6/XIcwMU9Y.y6P+GVzUbBgntBUCl7v4mv0sJg3sUC8BnggqiIJMABgzsXr+WMgu0XLIG+wDav

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Setup Log 2024-11-21 #001.txt

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):15930
                                                                                                                                                                                                      Entropy (8bit):5.013251316962535
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:8m0sk4CbXg9sIeTMo7NDWxm/HsmfCbyNCPL9TqHISHemOyw/gGgmElnUvRgFPp/x:XUkx5juxVmcPZoxXbl4s0
                                                                                                                                                                                                      MD5:F6090500D33B555BC896D224AB5B10D4
                                                                                                                                                                                                      SHA1:43F32D177A1A5AAFBE46303C690B2CB885E870C4
                                                                                                                                                                                                      SHA-256:0FCFE06BF863525A5CB2FE7FB9FE04BC8845643D7AAA866935243B1CB8C1768C
                                                                                                                                                                                                      SHA-512:AE595D0FC298277CC1740D2BFEE719094F3054A2846B90230DDEF29207BDA070BFEDC3216838DAF1F2AA25551DB9DA0F08B5A30B0DF2E080C11A173E47E5A477
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:.2024-11-21 22:18:31.761 Log opened. (Time zone: UTC-05:00)..2024-11-21 22:18:31.761 Setup version: Inno Setup version 5.5.8 (u)..2024-11-21 22:18:31.761 Original Setup EXE: C:\Users\user\Desktop\veraport-g3-x64.exe..2024-11-21 22:18:31.761 Setup command line: /SL5="$60386,28872543,119296,C:\Users\user\Desktop\veraport-g3-x64.exe" ..2024-11-21 22:18:31.761 Windows version: 10.0.19045 (NT platform: Yes)..2024-11-21 22:18:31.761 64-bit Windows: Yes..2024-11-21 22:18:31.761 Processor architecture: x64..2024-11-21 22:18:31.761 User privileges: Administrative..2024-11-21 22:18:31.793 64-bit install mode: Yes..2024-11-21 22:18:31.809 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-EK596.tmp..2024-11-21 22:19:33.509 Extracting temporary file: C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe..2024-11-21 22:19:43.322 Starting the installation process...2024-11-21 22:19:43.322 Creating directory: C:\Program Files\Wizvera..2024-11-

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\Desktop\veraport-g3-x64.exe
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1177088
                                                                                                                                                                                                      Entropy (8bit):6.399776735744912
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:0KbqslNoiGO+h84C6f8HSCNFfoJMpNOErZTOzu5xTxyt:LwY6fULNntNX
                                                                                                                                                                                                      MD5:6A96BEF4679E16A54B4090E74664DCCA
                                                                                                                                                                                                      SHA1:C8631C1624B98F6709B1AC37CE3956FAED29BC30
                                                                                                                                                                                                      SHA-256:CB095356DDCFCBACE96C6252FB73A267ED011C15FF206A7A9302007BAA68A783
                                                                                                                                                                                                      SHA-512:924AB1E5C6EA72342EAB6E78899A56C415E90020C46D3D8A81AE4DA9276DB7EA1DF9684965A81FB95A6F2F9CF103B31413D67770EB15725AD04198C5D00037D0
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Z..V..........................................@.......................................@......@..............................@8... ...............................................................................................................text............................... ..`.itext.. ........................... ..`.data...h0.......2..................@....bss.....a...P.......&...................idata..@8.......:...&..............@....tls....<............`...................rdata...............`..............@..@.rsrc........ .......b..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1170432
                                                                                                                                                                                                      Entropy (8bit):6.39928428004553
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:w4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyx:VT90guMXEdqwHkUj
                                                                                                                                                                                                      MD5:63B15124BE653DBE589C7981DA9D397C
                                                                                                                                                                                                      SHA1:AF8874BDF2AD726F5420E8132C10BECC2BBCD93C
                                                                                                                                                                                                      SHA-256:61674B90891CA099D5FEE62BF063A948A80863530AB6A31E7F9E06F0E5BC7599
                                                                                                                                                                                                      SHA-512:339B284B5DD7386DCFA86C8FDCF239A0E97CC168229EA9A66FC0C6B26771401FA7F27C2C6A435A836A43EA9C7E634A3E47EC77E0D27985794BBB4416DFC97AC8
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6144
                                                                                                                                                                                                      Entropy (8bit):4.720366600008286
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\_isetup\_shfoldr.dll

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):23312
                                                                                                                                                                                                      Entropy (8bit):4.596242908851566
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                                                                      MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                                                                      SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                                                                      SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                                                                      SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-046MP.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):5848896
                                                                                                                                                                                                      Entropy (8bit):7.994878119676408
                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                      SSDEEP:98304:2u33UC7GOvq8jDuqywJBcm+d4wiysY1JBW99qu1EQd71YUfxt1adDJYGBo:2ufGOv5jDVywjcLrBsY13GEUyUf0ZbS
                                                                                                                                                                                                      MD5:EA18C971818F833249090BB8B11F72C3
                                                                                                                                                                                                      SHA1:9F1F166751452A2F9286DA2EC79092F031029617
                                                                                                                                                                                                      SHA-256:D2B17C8815A7E2E5F96C5A8DE96E949EDF4F4009EB9941A0B8A472D6A59A62EF
                                                                                                                                                                                                      SHA-512:A8D5DDE31BC4431ECF94D02891F3993AC4C10F60D4B5EA7FEEBB35C0CEA0E2A6D8A9D9E54B4EE1506B1C0A2B1A2DFC2C2CB4D67835F76FD0C444FCF95D67E7FA
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..................................... ....@..........................p.......SY..........@....................................................Y.P,...........................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@.............p......................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-4898H.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PEM certificate
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1212
                                                                                                                                                                                                      Entropy (8bit):5.904728962463118
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                                                                      MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                                                                      SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                                                                      SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                                                                      SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-721M4.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PEM certificate
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1212
                                                                                                                                                                                                      Entropy (8bit):5.916479117884784
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:LrcYw2/a2YVdQ/UX0lVzngeJu3W/Jkek2LN7SP4StSfn6vBdKZLEeaaF9gZ+cdQJ:LrcYitqMX0Xn3u3Wpx7Q4rP6vB8+eaaR
                                                                                                                                                                                                      MD5:7A65B4226F7B4F594BB4800E3B0996C6
                                                                                                                                                                                                      SHA1:5008A17A4426675A5781980151F0F2D06F31CC77
                                                                                                                                                                                                      SHA-256:905C65B5D8E5436932FE9EE5781EBC26E26B9E302790689058E48BDA376DDFA5
                                                                                                                                                                                                      SHA-512:09FA5AB2EA077DC2A27C2E421A0AECD525EC0BBE27E6442177CA48C753AE74811F8C1851CAB376BDD09E616C318D09CDDCB4A79861FC716FC2CA37123ACFD3CA
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUILvrdIUnrqol+zgZJt6NwgcQK3EwDQYJKoZIhvcNAQEL.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMjAeFw0xOTEwMjMwMzA0MDhaFw00MDA1MDUwMzA0MDhaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz2gYPOFaP.Wm2V8uuiVs9M27qX/WYE5zrvyJkYfC3Y0fHA+o+MT8aaBa/m5LeWT2HDtnt29dL/.c/nXoBPKuRYKlOZELxTNeeiuIIKIdFwPYygMdW3PI9OButbubBf8BO9RMlFt1ydB.Mrh9r7UZ4WM4qv/d2iCEhDDuzi9M57h38Wc4QE24bPKx3e3tCDiPkOZQcmG48HZp.sX/itfeXFBGtBwF1QepTpOb9KL+CLkpmhVr7h8BwuNHuH/kN7BSqRi/ttbF0Ocp6.m5AiHtVMZvTY4hestoaz9fAwZTjorOhIGFzK4vgoONf6NYE959Mq9CCp9UDhZF3n.lcmLd9uMb0JnAgMBAAGjUzBRMB0GA1UdDgQWBBRV6Uh2vggtl8ZWWlULp7QQSxT2.ojAfBgNVHSMEGDAWgBRV6Uh2vggtl8ZWWlULp7QQSxT2ojAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCIDg1a0Ke17EVx1xsbrFjYsD2+XR9dy5O.Sy7CPWHBdQvwtYIQtgBhmPBmlQWHGl8EB4w6NfkKr8TTkmY42FicLEE7lEhGlHxJ.k1AimQsGMfNzVkm/yoJTvFhYspgyD+KqNj1r6fh4+Iij5BahOr+1fVTZOS5Od4

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-HFR1U.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6433472
                                                                                                                                                                                                      Entropy (8bit):6.257836978494735
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:49152:92B5cNgywx1VKm8gVK9RNfs8OiVJu6CDm8N18nnimGbBR2an4FTj8N+cXqQu+WUo:eKmBC9uizuNP18nnFG32a4FnLOb4
                                                                                                                                                                                                      MD5:23E1BB5820342D506C90BEE2E22482D2
                                                                                                                                                                                                      SHA1:FC64DF02B3B63E873A727EC7775BE0AD94B9402B
                                                                                                                                                                                                      SHA-256:A83E7B782CE8B536B08F4176A3E90958E8EFC6B77D3813B073E8AD2CF54DBC6F
                                                                                                                                                                                                      SHA-512:FAAE6B65ABF20EF2DC4DFAAD06F81BB20017113E83EE8B570010CDA5E9B89EA123464061B4B7D9D565CC5B9D4ECB117016F72ED56600FC3ADC7A1E63F576DA6A
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..(6..{6..{6..{.r.{<..{.r.{+..{6..{A..{...{7..{?..{...{?..{=..{?..{...{(..{5..{?..{-..{(..{7..{?..{7..{Rich6..{................PE..d...2.Uf..........#..................0$........@.............................ph.....07b.....................................................~A.......P..X\....e.t|..`.b.`)......................................................................@................... ............................ ..` .....0......................@..@ .....0.......,..............@... \|.......D...<..............@..@ T....P...6..................@..@.idata.......@......................@....rsrc....^...P...^..................@..@.themida..].......].................`...................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\is-KK4A2.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):2172216
                                                                                                                                                                                                      Entropy (8bit):6.709878039513874
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:49152:LkUFbvVrZuxV5fzo+y+9gjhYhptvwdRezosg:LpbvVrZud7o+yV2dvwn
                                                                                                                                                                                                      MD5:0FFE29C5EFF5BD3E25142A388FBEDB5A
                                                                                                                                                                                                      SHA1:23869F53B974BD0AB6EB08C90F48E900AD7BEBD6
                                                                                                                                                                                                      SHA-256:4C2D7F9ED2F8E2A55C2D6E34F1BBAC74DC3606168010E798C3249A43EB4E9B98
                                                                                                                                                                                                      SHA-512:8A3E613B9ED7AFD698E5AF3B676FE8ED147992D80B8748D68CA4C380CE6C3D6EADFFE410C31438EE13FC2C31C4844D5A610FA9E3AEFB6A8C68537C7EC852DE36
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6..~X..~X..~X.W1..~X..5..~X..#..~X..~Y.\|X.....~X.....|X...._~X..,..~X.....~X..,..~X.....~X.Rich.~X.........................PE..L...[{.f.................D..................`....@...........................!......0!...@.....................................@........C............ .8).... .h....h...............................#..@............`..........@....................text....B.......D.................. ..`.rdata...t...`...v...H..............@..@.data............j..................@....rsrc....C.......D...(..............@..@.reloc........ ......l..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\mozillafinder.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6433472
                                                                                                                                                                                                      Entropy (8bit):6.257836978494735
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:49152:92B5cNgywx1VKm8gVK9RNfs8OiVJu6CDm8N18nnimGbBR2an4FTj8N+cXqQu+WUo:eKmBC9uizuNP18nnFG32a4FnLOb4
                                                                                                                                                                                                      MD5:23E1BB5820342D506C90BEE2E22482D2
                                                                                                                                                                                                      SHA1:FC64DF02B3B63E873A727EC7775BE0AD94B9402B
                                                                                                                                                                                                      SHA-256:A83E7B782CE8B536B08F4176A3E90958E8EFC6B77D3813B073E8AD2CF54DBC6F
                                                                                                                                                                                                      SHA-512:FAAE6B65ABF20EF2DC4DFAAD06F81BB20017113E83EE8B570010CDA5E9B89EA123464061B4B7D9D565CC5B9D4ECB117016F72ED56600FC3ADC7A1E63F576DA6A
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..(6..{6..{6..{.r.{<..{.r.{+..{6..{A..{...{7..{?..{...{?..{=..{?..{...{(..{5..{?..{-..{(..{7..{?..{7..{Rich6..{................PE..d...2.Uf..........#..................0$........@.............................ph.....07b.....................................................~A.......P..X\....e.t|..`.b.`)......................................................................@................... ............................ ..` .....0......................@..@ .....0.......,..............@... \|.......D...<..............@..@ T....P...6..................@..@.idata.......@......................@....rsrc....^...P...^..................@..@.themida..].......].................`...................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\COPYING (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):18503
                                                                                                                                                                                                      Entropy (8bit):4.602916384645227
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:Vj1U6LjK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBt:V1UAmjRd5XZFFUuj4cCg9kc2Poz
                                                                                                                                                                                                      MD5:BDDEDB773E17C5704ACA39EAC9F71FA4
                                                                                                                                                                                                      SHA1:0C3529CB8DA338AB8BABC78B039F1F7D841F6EF8
                                                                                                                                                                                                      SHA-256:8D795AEAC957C8B6556B2ACA5E0A5A8B0B3254365D488BC62E280CB3255D441A
                                                                                                                                                                                                      SHA-512:E8FAC311334B505886E65CF2804223D1304C0A5E72F5E1BF8A09F9E76221B597696E762E613438D0286EA45FF57B22A29944E3BDA6198996EC4F1215B505FC14
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:NSS is available under the Mozilla Public License, version 2, a copy of which..is below.....Note on GPL Compatibility..-------------------------....The MPL 2, section 3.3, permits you to combine NSS with code under the GNU..General Public License (GPL) version 2, or any later version of that..license, to make a Larger Work, and distribute the result under the GPL...The only condition is that you must also make NSS, and any changes you..have made to it, available to recipients under the terms of the MPL 2 also.....Anyone who receives the combined code from you does not have to continue..to dual licence in this way, and may, if they wish, distribute under the..terms of either of the two licences - either the MPL alone or the GPL..alone. However, we discourage people from distributing copies of NSS under..the GPL alone, because it means that any improvements they make cannot be..reincorporated into the main version of NSS. There is never a need to do..this for license compatibility reason

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\LICENSE (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):17097
                                                                                                                                                                                                      Entropy (8bit):4.589469361500095
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:njK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBw:nmjRd5XZFFUuj4cCg9kc2Po6
                                                                                                                                                                                                      MD5:17C0970E8C7B6A6BD33E0C66FE6DC514
                                                                                                                                                                                                      SHA1:81EF2049ACEC205180DFAA781E2D6257E1901E95
                                                                                                                                                                                                      SHA-256:112F7B1A5C192DD892F2D2092DF46109185AD9F5EB729EAC9770F48C352887DF
                                                                                                                                                                                                      SHA-512:A7D438DC4BF1E80431651D07213CDCB568AEF6024BE85D38C29C22B16A04C99C761E1B70A7EE025E43F61FCB18C4B4D552FCF2E08ED39E48FBBBB85496952BA6
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:Mozilla Public License Version 2.0..==================================....1. Definitions..--------------....1.1. "Contributor".. means each individual or legal entity that creates, contributes to.. the creation of, or owns Covered Software.....1.2. "Contributor Version".. means the combination of the Contributions of others (if any) used.. by a Contributor and that particular Contributor's Contribution.....1.3. "Contribution".. means Covered Software of a particular Contributor.....1.4. "Covered Software".. means Source Code Form to which the initial Contributor has attached.. the notice in Exhibit A, the Executable Form of such Source Code.. Form, and Modifications of such Source Code Form, in each case.. including portions thereof.....1.5. "Incompatible With Secondary Licenses".. means.... (a) that the initial Contributor has attached the notice described.. in Exhibit B to the Covered Software; or.... (b) that the Covered Software was made a

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\README.md (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):411
                                                                                                                                                                                                      Entropy (8bit):5.208888321720358
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:vfcoG8zO9X0TAzO6Tg7SWHMj8GaDHdKTU:XE8z6PzEMPaj3
                                                                                                                                                                                                      MD5:3A8245C6346BF3698246EA4528245A43
                                                                                                                                                                                                      SHA1:1C302DF7CC15EA32688A9BD457FE3E1B279D629B
                                                                                                                                                                                                      SHA-256:CD8190312D3F8683312213D2A1204CAB5E1222AB46ADDACDA0D3F81B35161376
                                                                                                                                                                                                      SHA-512:817D164FAEBF8EA7B672674FFFC40A4845FC11C70D24B2E92629ABF4BC60C27622CE0F4A1B7CE8273600FAC9437F579C74558BAD9AA1F25C21D19CC4D1A4B350
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:Mozilla NSS certutil.exe and dependencies..===========....sources obtained from:..-------------..https://hg.mozilla.org/projects/nspr (revision 4646) - [Mozilla Public License, version 2](LICENSE)..https://hg.mozilla.org/projects/nss (release 3.20) - [Mozilla Public License, version 2](LICENSE)....requires vcredist 2013/12.0 32bit:..-------------..http://www.microsoft.com/en-us/download/details.aspx?id=40784

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):114688
                                                                                                                                                                                                      Entropy (8bit):6.498550775653996
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:vLHYLWUjUOh73h/NvurB+mLBdQPUjRqv0hp:IWUjUO+XBdQPwAv0X
                                                                                                                                                                                                      MD5:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      SHA1:4B6BC2776A07CEF559E2D9260EE7E3873D2B25D9
                                                                                                                                                                                                      SHA-256:64AD18F4D9BEF01B86E39CA1E774DFA37DB46BC8267453C418DD7F723D6D014C
                                                                                                                                                                                                      SHA-512:128605C51FD15599D69A2713F461605F069A71387CE176BD5AFCC65C04A4CA240056B4C1E63846B7E02C29ECD2D163F7CA3B502D881C319203E2110C6FC05862
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.[.x.5.x.5.x.5..B..z.5....{.5.>..z.5.>..y.5.>..k.5.>..z.5.u..u.5.x.4.^.5.u..p.5.u..y.5.Richx.5.................PE..L...@..U............................e.............@.......................................@.................................D...........................................................................@...............x............................text............................... ..`.rdata..............................@..@.data...x...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\freebl3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):322048
                                                                                                                                                                                                      Entropy (8bit):6.69079609843791
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:rYq6WFCT7yIFyGre4gqvkeZEcoE9OhFPs3ivxVu0yUzHjp9AkVliqqDL687PXGHe:r5i7JlgqvkeZEcocOADUflHXqn6sIWB
                                                                                                                                                                                                      MD5:F474DD91BB12F230209EC3163CE7E6C4
                                                                                                                                                                                                      SHA1:04FF682E527A1C132F73BD836B7880DFA1128528
                                                                                                                                                                                                      SHA-256:F63B2CAB4B77AC63A1BECA66872A991E1F8233F2C513D42460DBF28C733B138C
                                                                                                                                                                                                      SHA-512:01F1FEAACDA301B013F5E097FA5816B0075B7389EE0522E8FE350802093F6CDFE6ADE24FF2A0350896B333E44A77901BBCEAD85F8CF98BFA91FB110C18ADBFEE
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.G.1.).1.).1.)....0.).w..3.).w...7.).w..<.).w..3.)..B.5.).<..4.).1.(.`.).<....).<...3.).<...0.).<..0.).<...0.).Rich1.).........................PE..L......U...........!.........b......G........................................`............@.............................O...`...x....0.. ....................@......................................P...@...............T............................text...r........................... ..`.rdata..............................@..@.data...0I..........................@....rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-16653.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):169984
                                                                                                                                                                                                      Entropy (8bit):6.398159480656867
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:+dGb9/jT+3ZazHitaf6fc5q/RYmgdwy6jnwU8AF+3eWQAZHbC:+dGb9/+3sLia6u7Ih8AsRhBe
                                                                                                                                                                                                      MD5:6832B9A7AB871D81BE42054F117B8299
                                                                                                                                                                                                      SHA1:935C0FE7E6CB356A8854E3B7046FD7FC0AA29C61
                                                                                                                                                                                                      SHA-256:B1316E04B3BF464906F4E015D3E71B4E06A65CC6E59A20A96984EE1E862DCB0E
                                                                                                                                                                                                      SHA-512:E6579F7DF7B3C43219E47630A6B51A576D2FFA9902DDB0F309F5CCB210242DD16EBEC75439B2BAC22E5CB0B62984386CB6EB4190B2914827B79E3E4AFBBDEE9C
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..O~...~...~.....u.|...._y.....8.c.|...8.a.|...8.^.r...8._.|...s.c.u...~.......s.^.m...s.b.....s.e.....s.`.....Rich~...................PE..L......U...........!.....$...t.......,.......@............................................@.........................P...................(............................................................~..@............@..\............................text...@".......$.................. ..`.rdata...N...@...P...(..............@..@.data................x..............@....rsrc...(............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-2OT9H.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):233984
                                                                                                                                                                                                      Entropy (8bit):6.639915060449015
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:OCIWfHHSPufQePpFEXiO1BwOD1NUGvRf8+7wNTBhg:OpWfHHSPudfOD1H8QwNTH
                                                                                                                                                                                                      MD5:55FC1EB1359AFDA427CF8CF7FC840CF2
                                                                                                                                                                                                      SHA1:F854CD1A0217AC9EB82220D87B43EC1C17B71A86
                                                                                                                                                                                                      SHA-256:77E642601D600B8DDA1FC64E4CC8D556FC53217DF933122C487EC43C1F60E2DE
                                                                                                                                                                                                      SHA-512:D7728CC9969A9BC7FC7B70884E86478A96ED33796B078D47170A0A894E8EEC982B61A0D3094867FF976FF3E97AD15A638A06C138A418FB952E76AE4FE79B9CB4
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.;...h...h...h.u;h...hL.-h...hL./h...hL..h...hL..h...h..-h...h...h...h...h...h..,h...h..+h...h...h...hRich...h................PE..L......U...........!................N.....................................................@..........................].......h......................................................................8\..@...............(............................text.............................. ..`.rdata..............................@..@.data................p..............@....rsrc................r..............@..@.reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-5BP0J.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):159232
                                                                                                                                                                                                      Entropy (8bit):6.628891949059009
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:5XEjwQq1VzTiey++hdm0mCeZrkAhniYUwl5VFTF0Rda914+2FTTf4oLkPEb:dEMfieU8A2ijMTF0RdE14P5LkP
                                                                                                                                                                                                      MD5:BD0E897DBC2DCC0CF1287FFD7C734CF0
                                                                                                                                                                                                      SHA1:5C9C6C6082127D106520FF2E88D4CD4B665D134F
                                                                                                                                                                                                      SHA-256:2D2096447B366D6640F2670EDB474AB208D8D85B5650DB5E80CC985D1189F911
                                                                                                                                                                                                      SHA-512:DB21B151B9877C9B5A5DC2EDA3AFA6A75A827CE1F340032427B7DE1D9F9803767AECC582862B58885F456C78FC75EE529581089B725975600E45C6AF785280A9
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.o...<...<...<..V<...<.ML<...<.MN<...<.Mq<...<.Mp<...<I.Z<...<...<-..<.Nq<...<.NM<...<.NJ<...<.NO<...<Rich...<........................PE..L...3..U...........!......................................................................@..........................&...,...R..x...............................<....................................%..@............................................text............................... ..`.rdata..Pp.......r..................@..@.data........p.......H..............@....rsrc................P..............@..@.reloc..<............T..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7B3IO.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):11776
                                                                                                                                                                                                      Entropy (8bit):5.727800685529315
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:PMf3jwDmDS5J3HcLK9gRIcsumHu4BGeTNN+b9omw5TYlFQ3XGU0r3zqY:PMkDmS5ZcLK9gufNBdxl9klFwH0r35
                                                                                                                                                                                                      MD5:B7ED50495D311CF6E7AD247968DD2079
                                                                                                                                                                                                      SHA1:3364725821EA012F8FA99DF102677BEFC5FF929F
                                                                                                                                                                                                      SHA-256:20166E281B31AE60672B9D87CB69FCBA0C38CC5E18A8BA081C5601CCFAB7589F
                                                                                                                                                                                                      SHA-512:A783F0A00D016A5974F87399637BDDD5A5821E3A79C5ACB2F6B3F097C9BFFEFB8A1DEE7D968C0646FAA2D854A105C57988D244D9C47FB9C189D8383C00A8D2FE
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.m.}.m.}.m..2....m.;.....m.;...|.m.;...q.m.;.....m.p...~.m.}.l.^.m.p...~.m.p...|.m.p...|.m.p...|.m.Rich}.m.........PE..L...5..U...........!.................!.......0...............................p............@.........................`2..)....5..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7BT79.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):17097
                                                                                                                                                                                                      Entropy (8bit):4.589469361500095
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:njK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBw:nmjRd5XZFFUuj4cCg9kc2Po6
                                                                                                                                                                                                      MD5:17C0970E8C7B6A6BD33E0C66FE6DC514
                                                                                                                                                                                                      SHA1:81EF2049ACEC205180DFAA781E2D6257E1901E95
                                                                                                                                                                                                      SHA-256:112F7B1A5C192DD892F2D2092DF46109185AD9F5EB729EAC9770F48C352887DF
                                                                                                                                                                                                      SHA-512:A7D438DC4BF1E80431651D07213CDCB568AEF6024BE85D38C29C22B16A04C99C761E1B70A7EE025E43F61FCB18C4B4D552FCF2E08ED39E48FBBBB85496952BA6
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:Mozilla Public License Version 2.0..==================================....1. Definitions..--------------....1.1. "Contributor".. means each individual or legal entity that creates, contributes to.. the creation of, or owns Covered Software.....1.2. "Contributor Version".. means the combination of the Contributions of others (if any) used.. by a Contributor and that particular Contributor's Contribution.....1.3. "Contribution".. means Covered Software of a particular Contributor.....1.4. "Covered Software".. means Source Code Form to which the initial Contributor has attached.. the notice in Exhibit A, the Executable Form of such Source Code.. Form, and Modifications of such Source Code Form, in each case.. including portions thereof.....1.5. "Incompatible With Secondary Licenses".. means.... (a) that the initial Contributor has attached the notice described.. in Exhibit B to the Covered Software; or.... (b) that the Covered Software was made a

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7FRC5.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                      Entropy (8bit):5.9228411202071864
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:gw+B2CXVETJWuHXzJqjtWoFyR5h+cBCyvqGnnnLGjV0BYpa3XGU0ki:oBH2VWu3Vqj8oFOjGsGjVAYIH0ki
                                                                                                                                                                                                      MD5:88B4DF8D7D536A195F866B70C48ED534
                                                                                                                                                                                                      SHA1:A385BCD411C3DFAD1C08CF56977C1BA45ECBF2F9
                                                                                                                                                                                                      SHA-256:09F01488A002915B8472A4E82ADB7A3E8CB43BD77DB347B0178EAE614F846A0A
                                                                                                                                                                                                      SHA-512:B8291CC96A40391D69A75DD348204083F2E21A752A8AF3339FD524F8DBB9947575C33EB8ECF77FC177CF2E3568777B2DE267CF63301034B28ADCFEF40AB821C1
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M}.M}.M}..-.O}..,;.O}..,9.L}..,..A}..,..O}.@/;.N}.M}.d}.@/..C}.@/:.L}.@/=.L}.@/8.L}.RichM}.........PE..L...9..U...........!.................%.......0...............................p............@..........................3.......7..P....P.......................`.......................................3..@............0...............................text............................... ..`.rdata..r....0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-7N07M.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):18503
                                                                                                                                                                                                      Entropy (8bit):4.602916384645227
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:Vj1U6LjK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBt:V1UAmjRd5XZFFUuj4cCg9kc2Poz
                                                                                                                                                                                                      MD5:BDDEDB773E17C5704ACA39EAC9F71FA4
                                                                                                                                                                                                      SHA1:0C3529CB8DA338AB8BABC78B039F1F7D841F6EF8
                                                                                                                                                                                                      SHA-256:8D795AEAC957C8B6556B2ACA5E0A5A8B0B3254365D488BC62E280CB3255D441A
                                                                                                                                                                                                      SHA-512:E8FAC311334B505886E65CF2804223D1304C0A5E72F5E1BF8A09F9E76221B597696E762E613438D0286EA45FF57B22A29944E3BDA6198996EC4F1215B505FC14
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:NSS is available under the Mozilla Public License, version 2, a copy of which..is below.....Note on GPL Compatibility..-------------------------....The MPL 2, section 3.3, permits you to combine NSS with code under the GNU..General Public License (GPL) version 2, or any later version of that..license, to make a Larger Work, and distribute the result under the GPL...The only condition is that you must also make NSS, and any changes you..have made to it, available to recipients under the terms of the MPL 2 also.....Anyone who receives the combined code from you does not have to continue..to dual licence in this way, and may, if they wish, distribute under the..terms of either of the two licences - either the MPL alone or the GPL..alone. However, we discourage people from distributing copies of NSS under..the GPL alone, because it means that any improvements they make cannot be..reincorporated into the main version of NSS. There is never a need to do..this for license compatibility reason

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-B16R3.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):98816
                                                                                                                                                                                                      Entropy (8bit):6.174147183797477
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:zmutViJeP5/spfYAYJV+1W26doizknjBNNqG5NFxXy4/H:zmutzP5/spfYAkV+1WpzeNqGG4
                                                                                                                                                                                                      MD5:94624BBAB23A92E0A5F90CCE9A5A340D
                                                                                                                                                                                                      SHA1:A81D1E0A2C75657F698CEE9346FA85423B9B365F
                                                                                                                                                                                                      SHA-256:B0104EA7AAA257B111982BD0763C1C47FFF76BD70249F84DCAD834D50444DF1A
                                                                                                                                                                                                      SHA-512:D623E4D271A0DCC0F16E4A2DC4D10422DE42445D6DA60A5FDB149C511B5E5363DE448696592E11DCE118F950EED2E92CFFB78056C80E1A8E3A42D44EC54CB9F3
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T`.5...5...5..^...5...d..5...d..5...d.5...d.5...g..5...5..k5...g.5...g..5...g..5...g..5..Rich.5..................PE..L...&..U...........!.........j......`........0............................................@..........................N.......h.......... .......................L....................................N..@............0...............................text............................... ..`.rdata..vT...0...V..................@..@.data...l............r..............@....rsrc... ............t..............@..@.reloc..L............x..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-B2FVE.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):114688
                                                                                                                                                                                                      Entropy (8bit):6.498550775653996
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:vLHYLWUjUOh73h/NvurB+mLBdQPUjRqv0hp:IWUjUO+XBdQPwAv0X
                                                                                                                                                                                                      MD5:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      SHA1:4B6BC2776A07CEF559E2D9260EE7E3873D2B25D9
                                                                                                                                                                                                      SHA-256:64AD18F4D9BEF01B86E39CA1E774DFA37DB46BC8267453C418DD7F723D6D014C
                                                                                                                                                                                                      SHA-512:128605C51FD15599D69A2713F461605F069A71387CE176BD5AFCC65C04A4CA240056B4C1E63846B7E02C29ECD2D163F7CA3B502D881C319203E2110C6FC05862
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.[.x.5.x.5.x.5..B..z.5....{.5.>..z.5.>..y.5.>..k.5.>..z.5.u..u.5.x.4.^.5.u..p.5.u..y.5.Richx.5.................PE..L...@..U............................e.............@.......................................@.................................D...........................................................................@...............x............................text............................... ..`.rdata..............................@..@.data...x...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-LFTRG.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):110592
                                                                                                                                                                                                      Entropy (8bit):6.4887902817222995
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:1536:QlEUXeNbfEzPX5FdEsom/cbvczqvooFPrSd8kBlUT1SB:qlybfEbXTd5wbvYqf0d8kBlUT1SB
                                                                                                                                                                                                      MD5:C19416E9CF9E571068CA14276C6E0620
                                                                                                                                                                                                      SHA1:B5E8EE4659B678FB3B234055B1EEDA920EB20B30
                                                                                                                                                                                                      SHA-256:BA9341807B42E90BB0380D51A83D3D6A0DE7D57B6820A8B0CBE5E36E978860FA
                                                                                                                                                                                                      SHA-512:5CDE579F66E0677F1419DC11723E1F7B5A7D408B4B3250E26AA0C0863A46B6FD86F17813416769F1EEC89375F3C9C83FED468A17D1EF80F83FF1744927E7DA79
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qY.+58gx58gx58gx..x78gx...x78gxsi.x78gxsi.x48gxsi.x98gxsi.x78gx8j.x28gx58fxP8gx8j.x.8gx8j.x48gx8j.x48gx8j.x48gxRich58gx................PE..L......U...........!......................................................................@.................................D...x...............................|.......................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-M27Q7.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):102400
                                                                                                                                                                                                      Entropy (8bit):6.425621973332139
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:rHLNCxyxOuseQadJYO3bc3Vjo0ZQNf1v1ErPjH3XK:rrdrdJYOLt0ZG1gPjXX
                                                                                                                                                                                                      MD5:8CC6A31974A175A65D6C090FEED39F42
                                                                                                                                                                                                      SHA1:30DFEDDC8A4A59AEB7198D8CC9C712F3248A1E51
                                                                                                                                                                                                      SHA-256:F64111FAA9966D7B7859C6467BEDBD64559284B049F55FFADC54DFC50A3A4264
                                                                                                                                                                                                      SHA-512:597B2FB5BA96FE656E2C81D3D411ADFC4E693510F130872E16C9CC70355B41FCCFC0B9DBC16171AF76E2CAA7945FDF2519CEA40B9EF1A161ED967346DF595D5E
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..e7mb67mb67mb6.65mb6..6?mb6q<.65mb6q<.66mb6q<.6;mb6q<.65mb6:?.60mb67mc6.mb6:?.6"mb6:?.66mb6:?.66mb6:?.66mb6Rich7mb6................PE..L......U...........!.....`..........9h.......p............................................@.........................`|......h}..x.......(............................................................{..@............p..H............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...............................@....rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-MLEMF.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):478208
                                                                                                                                                                                                      Entropy (8bit):6.657367656177312
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12288:rF2tNYpFGB/zPDxB9+lfwskvdkuuNRcsUBm+6dwczL:wYpABLclfokbAsUBP+
                                                                                                                                                                                                      MD5:3A58690AFF7051BB18EA9D764A450551
                                                                                                                                                                                                      SHA1:5CE859B3229DA70925FFA25564CB6D7C84DD6C36
                                                                                                                                                                                                      SHA-256:D2D0B729837574D2EB6ADAC4F819BC4F8534AC9A43B17663942B2401A02DB02A
                                                                                                                                                                                                      SHA-512:299634094A624EE8AD2898D3F2BDF8FEE23F234C160992E68D087AF828A16FF18E3D1FB1CA5755E82F592D6E3E335C63A9C8DAD04EF003D2127BBFCDBEC649D4
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b.v.b.v.b.v..p..`.v.b.w.?.v.$..a.v.$..o.v.$..o.v.$..`.v.o..c.v.o..c.v.o..c.v.Richb.v.................PE..L......U...........!.....p..........#w.......................................p............@.....................................<............................@..(*..................................H...@...............|............................text....o.......p.................. ..`.rdata...............t..............@..@.data........ ......................@....reloc..(*...@...,... ..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-S2732.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):322048
                                                                                                                                                                                                      Entropy (8bit):6.69079609843791
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:rYq6WFCT7yIFyGre4gqvkeZEcoE9OhFPs3ivxVu0yUzHjp9AkVliqqDL687PXGHe:r5i7JlgqvkeZEcocOADUflHXqn6sIWB
                                                                                                                                                                                                      MD5:F474DD91BB12F230209EC3163CE7E6C4
                                                                                                                                                                                                      SHA1:04FF682E527A1C132F73BD836B7880DFA1128528
                                                                                                                                                                                                      SHA-256:F63B2CAB4B77AC63A1BECA66872A991E1F8233F2C513D42460DBF28C733B138C
                                                                                                                                                                                                      SHA-512:01F1FEAACDA301B013F5E097FA5816B0075B7389EE0522E8FE350802093F6CDFE6ADE24FF2A0350896B333E44A77901BBCEAD85F8CF98BFA91FB110C18ADBFEE
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.G.1.).1.).1.)....0.).w..3.).w...7.).w..<.).w..3.)..B.5.).<..4.).1.(.`.).<....).<...3.).<...0.).<..0.).<...0.).Rich1.).........................PE..L......U...........!.........b......G........................................`............@.............................O...`...x....0.. ....................@......................................P...@...............T............................text...r........................... ..`.rdata..............................@..@.data...0I..........................@....rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-SUBQN.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):807424
                                                                                                                                                                                                      Entropy (8bit):6.373676348059312
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:fE0i/L+PiYRCYeqF54WhJAqSoOzut7EtYiaUMes5+99SFP4MSKE:sexRT8RMS/
                                                                                                                                                                                                      MD5:54F3932864EED803BD1CB82DF43F0C76
                                                                                                                                                                                                      SHA1:675960ACFED6DF22AE0A41973B08494554B37F1A
                                                                                                                                                                                                      SHA-256:96E068E6162A98D212B57C86B14FC539F1BBDCCD363F68EFD8CDFECC90C699D3
                                                                                                                                                                                                      SHA-512:3E1ECCB33B8371DBE4801C5C3909130EB4E2A8A9AEC80D2C7B2528B00DD137C5FFE672095963D207B48E10F8E024C34FE841AA7ED22C7B7FA6E058165FCE90B8
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d................x......Tn......Tl......TS......TR......Wn..............WS.\....Wo......Wh......Wm.....Rich............PE..L......U...........!.....T...........^.......p............................................@.........................P....g..\........0.......................@..,Q......................................@............p...............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data... ...........................@....rsrc........0......................@..@.reloc..,Q...@...R..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UNN4K.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):970912
                                                                                                                                                                                                      Entropy (8bit):6.9649735952029515
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                                                                                      MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                                                                                      SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                                                                                      SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                                                                                      SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-UP14J.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):436224
                                                                                                                                                                                                      Entropy (8bit):6.90975258770428
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:t2HwxiNQVRjpfTOIf4EUo4pVQ6i+8a9CftgcWGzGgI4oW:t2HwxiWV/7OIfh4pVb2/WGzGgI4oW
                                                                                                                                                                                                      MD5:40483977B63FF6382BA0E4FB03198C8B
                                                                                                                                                                                                      SHA1:D6C291BE675E45A2D270E77BBC8F73D8FA51D8AD
                                                                                                                                                                                                      SHA-256:BFA1DE077F19AFC7B21FEB41891B4200A40B4DDA114F483D4EB92FF7A375926D
                                                                                                                                                                                                      SHA-512:EBA65F2F39F0E0FA317D5AEA13F945A3A72DA72CC31C0A0631B070AB3A914CC19250FC794C1294F4195657B6D79AC56E50190F3ED3745FCB37F4EBD833F16862
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.S.v.=.v.=.v.=..B..t.=.0..t.=.0..w.=.0..z.=.0..t.=.{..q.=.v.<.E.=.{..k.=.{..w.=.{..w.=.{..w.=.Richv.=.........PE..L...4..U...........!......................................................................@.............................P.......x...............................`4......................................@............................................text...Z........................... ..`.rdata...&.......(..................@..@.data...Te... ...b..................@....rsrc................n..............@..@.reloc..`4.......6...r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\is-VORJU.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):411
                                                                                                                                                                                                      Entropy (8bit):5.208888321720358
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:vfcoG8zO9X0TAzO6Tg7SWHMj8GaDHdKTU:XE8z6PzEMPaj3
                                                                                                                                                                                                      MD5:3A8245C6346BF3698246EA4528245A43
                                                                                                                                                                                                      SHA1:1C302DF7CC15EA32688A9BD457FE3E1B279D629B
                                                                                                                                                                                                      SHA-256:CD8190312D3F8683312213D2A1204CAB5E1222AB46ADDACDA0D3F81B35161376
                                                                                                                                                                                                      SHA-512:817D164FAEBF8EA7B672674FFFC40A4845FC11C70D24B2E92629ABF4BC60C27622CE0F4A1B7CE8273600FAC9437F579C74558BAD9AA1F25C21D19CC4D1A4B350
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:Mozilla NSS certutil.exe and dependencies..===========....sources obtained from:..-------------..https://hg.mozilla.org/projects/nspr (revision 4646) - [Mozilla Public License, version 2](LICENSE)..https://hg.mozilla.org/projects/nss (release 3.20) - [Mozilla Public License, version 2](LICENSE)....requires vcredist 2013/12.0 32bit:..-------------..http://www.microsoft.com/en-us/download/details.aspx?id=40784

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\msvcr120.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):970912
                                                                                                                                                                                                      Entropy (8bit):6.9649735952029515
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                                                                                      MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                                                                                      SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                                                                                      SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                                                                                      SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nspr4.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):159232
                                                                                                                                                                                                      Entropy (8bit):6.628891949059009
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:5XEjwQq1VzTiey++hdm0mCeZrkAhniYUwl5VFTF0Rda914+2FTTf4oLkPEb:dEMfieU8A2ijMTF0RdE14P5LkP
                                                                                                                                                                                                      MD5:BD0E897DBC2DCC0CF1287FFD7C734CF0
                                                                                                                                                                                                      SHA1:5C9C6C6082127D106520FF2E88D4CD4B665D134F
                                                                                                                                                                                                      SHA-256:2D2096447B366D6640F2670EDB474AB208D8D85B5650DB5E80CC985D1189F911
                                                                                                                                                                                                      SHA-512:DB21B151B9877C9B5A5DC2EDA3AFA6A75A827CE1F340032427B7DE1D9F9803767AECC582862B58885F456C78FC75EE529581089B725975600E45C6AF785280A9
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.o...<...<...<..V<...<.ML<...<.MN<...<.Mq<...<.Mp<...<I.Z<...<...<-..<.Nq<...<.NM<...<.NJ<...<.NO<...<Rich...<........................PE..L...3..U...........!......................................................................@..........................&...,...R..x...............................<....................................%..@............................................text............................... ..`.rdata..Pp.......r..................@..@.data........p.......H..............@....rsrc................P..............@..@.reloc..<............T..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nss3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):807424
                                                                                                                                                                                                      Entropy (8bit):6.373676348059312
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24576:fE0i/L+PiYRCYeqF54WhJAqSoOzut7EtYiaUMes5+99SFP4MSKE:sexRT8RMS/
                                                                                                                                                                                                      MD5:54F3932864EED803BD1CB82DF43F0C76
                                                                                                                                                                                                      SHA1:675960ACFED6DF22AE0A41973B08494554B37F1A
                                                                                                                                                                                                      SHA-256:96E068E6162A98D212B57C86B14FC539F1BBDCCD363F68EFD8CDFECC90C699D3
                                                                                                                                                                                                      SHA-512:3E1ECCB33B8371DBE4801C5C3909130EB4E2A8A9AEC80D2C7B2528B00DD137C5FFE672095963D207B48E10F8E024C34FE841AA7ED22C7B7FA6E058165FCE90B8
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d................x......Tn......Tl......TS......TR......Wn..............WS.\....Wo......Wh......Wm.....Rich............PE..L......U...........!.....T...........^.......p............................................@.........................P....g..\........0.......................@..,Q......................................@............p...............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data... ...........................@....rsrc........0......................@..@.reloc..,Q...@...R..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssckbi.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):436224
                                                                                                                                                                                                      Entropy (8bit):6.90975258770428
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:t2HwxiNQVRjpfTOIf4EUo4pVQ6i+8a9CftgcWGzGgI4oW:t2HwxiWV/7OIfh4pVb2/WGzGgI4oW
                                                                                                                                                                                                      MD5:40483977B63FF6382BA0E4FB03198C8B
                                                                                                                                                                                                      SHA1:D6C291BE675E45A2D270E77BBC8F73D8FA51D8AD
                                                                                                                                                                                                      SHA-256:BFA1DE077F19AFC7B21FEB41891B4200A40B4DDA114F483D4EB92FF7A375926D
                                                                                                                                                                                                      SHA-512:EBA65F2F39F0E0FA317D5AEA13F945A3A72DA72CC31C0A0631B070AB3A914CC19250FC794C1294F4195657B6D79AC56E50190F3ED3745FCB37F4EBD833F16862
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.S.v.=.v.=.v.=..B..t.=.0..t.=.0..w.=.0..z.=.0..t.=.{..q.=.v.<.E.=.{..k.=.{..w.=.{..w.=.{..w.=.Richv.=.........PE..L...4..U...........!......................................................................@.............................P.......x...............................`4......................................@............................................text...Z........................... ..`.rdata...&.......(..................@..@.data...Te... ...b..................@....rsrc................n..............@..@.reloc..`4.......6...r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssdbm3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):102400
                                                                                                                                                                                                      Entropy (8bit):6.425621973332139
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:rHLNCxyxOuseQadJYO3bc3Vjo0ZQNf1v1ErPjH3XK:rrdrdJYOLt0ZG1gPjXX
                                                                                                                                                                                                      MD5:8CC6A31974A175A65D6C090FEED39F42
                                                                                                                                                                                                      SHA1:30DFEDDC8A4A59AEB7198D8CC9C712F3248A1E51
                                                                                                                                                                                                      SHA-256:F64111FAA9966D7B7859C6467BEDBD64559284B049F55FFADC54DFC50A3A4264
                                                                                                                                                                                                      SHA-512:597B2FB5BA96FE656E2C81D3D411ADFC4E693510F130872E16C9CC70355B41FCCFC0B9DBC16171AF76E2CAA7945FDF2519CEA40B9EF1A161ED967346DF595D5E
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..e7mb67mb67mb6.65mb6..6?mb6q<.65mb6q<.66mb6q<.6;mb6q<.65mb6:?.60mb67mc6.mb6:?.6"mb6:?.66mb6:?.66mb6:?.66mb6Rich7mb6................PE..L......U...........!.....`..........9h.......p............................................@.........................`|......h}..x.......(............................................................{..@............p..H............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...............................@....rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\nssutil3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):110592
                                                                                                                                                                                                      Entropy (8bit):6.4887902817222995
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:1536:QlEUXeNbfEzPX5FdEsom/cbvczqvooFPrSd8kBlUT1SB:qlybfEbXTd5wbvYqf0d8kBlUT1SB
                                                                                                                                                                                                      MD5:C19416E9CF9E571068CA14276C6E0620
                                                                                                                                                                                                      SHA1:B5E8EE4659B678FB3B234055B1EEDA920EB20B30
                                                                                                                                                                                                      SHA-256:BA9341807B42E90BB0380D51A83D3D6A0DE7D57B6820A8B0CBE5E36E978860FA
                                                                                                                                                                                                      SHA-512:5CDE579F66E0677F1419DC11723E1F7B5A7D408B4B3250E26AA0C0863A46B6FD86F17813416769F1EEC89375F3C9C83FED468A17D1EF80F83FF1744927E7DA79
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qY.+58gx58gx58gx..x78gx...x78gxsi.x78gxsi.x48gxsi.x98gxsi.x78gx8j.x28gx58fxP8gx8j.x.8gx8j.x48gx8j.x48gx8j.x48gxRich58gx................PE..L......U...........!......................................................................@.................................D...x...............................|.......................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\plc4.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):13824
                                                                                                                                                                                                      Entropy (8bit):5.9228411202071864
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:gw+B2CXVETJWuHXzJqjtWoFyR5h+cBCyvqGnnnLGjV0BYpa3XGU0ki:oBH2VWu3Vqj8oFOjGsGjVAYIH0ki
                                                                                                                                                                                                      MD5:88B4DF8D7D536A195F866B70C48ED534
                                                                                                                                                                                                      SHA1:A385BCD411C3DFAD1C08CF56977C1BA45ECBF2F9
                                                                                                                                                                                                      SHA-256:09F01488A002915B8472A4E82ADB7A3E8CB43BD77DB347B0178EAE614F846A0A
                                                                                                                                                                                                      SHA-512:B8291CC96A40391D69A75DD348204083F2E21A752A8AF3339FD524F8DBB9947575C33EB8ECF77FC177CF2E3568777B2DE267CF63301034B28ADCFEF40AB821C1
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M}.M}.M}..-.O}..,;.O}..,9.L}..,..A}..,..O}.@/;.N}.M}.d}.@/..C}.@/:.L}.@/=.L}.@/8.L}.RichM}.........PE..L...9..U...........!.................%.......0...............................p............@..........................3.......7..P....P.......................`.......................................3..@............0...............................text............................... ..`.rdata..r....0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\plds4.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):11776
                                                                                                                                                                                                      Entropy (8bit):5.727800685529315
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:PMf3jwDmDS5J3HcLK9gRIcsumHu4BGeTNN+b9omw5TYlFQ3XGU0r3zqY:PMkDmS5ZcLK9gufNBdxl9klFwH0r35
                                                                                                                                                                                                      MD5:B7ED50495D311CF6E7AD247968DD2079
                                                                                                                                                                                                      SHA1:3364725821EA012F8FA99DF102677BEFC5FF929F
                                                                                                                                                                                                      SHA-256:20166E281B31AE60672B9D87CB69FCBA0C38CC5E18A8BA081C5601CCFAB7589F
                                                                                                                                                                                                      SHA-512:A783F0A00D016A5974F87399637BDDD5A5821E3A79C5ACB2F6B3F097C9BFFEFB8A1DEE7D968C0646FAA2D854A105C57988D244D9C47FB9C189D8383C00A8D2FE
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.m.}.m.}.m..2....m.;.....m.;...|.m.;...q.m.;.....m.p...~.m.}.l.^.m.p...~.m.p...|.m.p...|.m.p...|.m.Rich}.m.........PE..L...5..U...........!.................!.......0...............................p............@.........................`2..)....5..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\smime3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):98816
                                                                                                                                                                                                      Entropy (8bit):6.174147183797477
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:zmutViJeP5/spfYAYJV+1W26doizknjBNNqG5NFxXy4/H:zmutzP5/spfYAkV+1WpzeNqGG4
                                                                                                                                                                                                      MD5:94624BBAB23A92E0A5F90CCE9A5A340D
                                                                                                                                                                                                      SHA1:A81D1E0A2C75657F698CEE9346FA85423B9B365F
                                                                                                                                                                                                      SHA-256:B0104EA7AAA257B111982BD0763C1C47FFF76BD70249F84DCAD834D50444DF1A
                                                                                                                                                                                                      SHA-512:D623E4D271A0DCC0F16E4A2DC4D10422DE42445D6DA60A5FDB149C511B5E5363DE448696592E11DCE118F950EED2E92CFFB78056C80E1A8E3A42D44EC54CB9F3
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T`.5...5...5..^...5...d..5...d..5...d.5...d.5...g..5...5..k5...g.5...g..5...g..5...g..5..Rich.5..................PE..L...&..U...........!.........j......`........0............................................@..........................N.......h.......... .......................L....................................N..@............0...............................text............................... ..`.rdata..vT...0...V..................@..@.data...l............r..............@....rsrc... ............t..............@..@.reloc..L............x..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\softokn3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):169984
                                                                                                                                                                                                      Entropy (8bit):6.398159480656867
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3072:+dGb9/jT+3ZazHitaf6fc5q/RYmgdwy6jnwU8AF+3eWQAZHbC:+dGb9/+3sLia6u7Ih8AsRhBe
                                                                                                                                                                                                      MD5:6832B9A7AB871D81BE42054F117B8299
                                                                                                                                                                                                      SHA1:935C0FE7E6CB356A8854E3B7046FD7FC0AA29C61
                                                                                                                                                                                                      SHA-256:B1316E04B3BF464906F4E015D3E71B4E06A65CC6E59A20A96984EE1E862DCB0E
                                                                                                                                                                                                      SHA-512:E6579F7DF7B3C43219E47630A6B51A576D2FFA9902DDB0F309F5CCB210242DD16EBEC75439B2BAC22E5CB0B62984386CB6EB4190B2914827B79E3E4AFBBDEE9C
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..O~...~...~.....u.|...._y.....8.c.|...8.a.|...8.^.r...8._.|...s.c.u...~.......s.^.m...s.b.....s.e.....s.`.....Rich~...................PE..L......U...........!.....$...t.......,.......@............................................@.........................P...................(............................................................~..@............@..\............................text...@".......$.................. ..`.rdata...N...@...P...(..............@..@.data................x..............@....rsrc...(............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\sqlite3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):478208
                                                                                                                                                                                                      Entropy (8bit):6.657367656177312
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12288:rF2tNYpFGB/zPDxB9+lfwskvdkuuNRcsUBm+6dwczL:wYpABLclfokbAsUBP+
                                                                                                                                                                                                      MD5:3A58690AFF7051BB18EA9D764A450551
                                                                                                                                                                                                      SHA1:5CE859B3229DA70925FFA25564CB6D7C84DD6C36
                                                                                                                                                                                                      SHA-256:D2D0B729837574D2EB6ADAC4F819BC4F8534AC9A43B17663942B2401A02DB02A
                                                                                                                                                                                                      SHA-512:299634094A624EE8AD2898D3F2BDF8FEE23F234C160992E68D087AF828A16FF18E3D1FB1CA5755E82F592D6E3E335C63A9C8DAD04EF003D2127BBFCDBEC649D4
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b.v.b.v.b.v..p..`.v.b.w.?.v.$..a.v.$..o.v.$..o.v.$..`.v.o..c.v.o..c.v.o..c.v.Richb.v.................PE..L......U...........!.....p..........#w.......................................p............@.....................................<............................@..(*..................................H...@...............|............................text....o.......p.................. ..`.rdata...............t..............@..@.data........ ......................@....reloc..(*...@...,... ..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\ssl3.dll (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):233984
                                                                                                                                                                                                      Entropy (8bit):6.639915060449015
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6144:OCIWfHHSPufQePpFEXiO1BwOD1NUGvRf8+7wNTBhg:OpWfHHSPudfOD1H8QwNTH
                                                                                                                                                                                                      MD5:55FC1EB1359AFDA427CF8CF7FC840CF2
                                                                                                                                                                                                      SHA1:F854CD1A0217AC9EB82220D87B43EC1C17B71A86
                                                                                                                                                                                                      SHA-256:77E642601D600B8DDA1FC64E4CC8D556FC53217DF933122C487EC43C1F60E2DE
                                                                                                                                                                                                      SHA-512:D7728CC9969A9BC7FC7B70884E86478A96ED33796B078D47170A0A894E8EEC982B61A0D3094867FF976FF3E97AD15A638A06C138A418FB952E76AE4FE79B9CB4
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.;...h...h...h.u;h...hL.-h...hL./h...hL..h...hL..h...h..-h...h...h...h...h...h..,h...h..+h...h...h...hRich...h................PE..L......U...........!................N.....................................................@..........................].......h......................................................................8\..@...............(............................text.............................. ..`.rdata..............................@..@.data................p..............@....rsrc................r..............@..@.reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\sha1\is-VS8NA.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PEM certificate
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1212
                                                                                                                                                                                                      Entropy (8bit):5.904728962463118
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                                                                      MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                                                                      SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                                                                      SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                                                                      SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\sha1\wizvera_ca.crt (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PEM certificate
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1212
                                                                                                                                                                                                      Entropy (8bit):5.904728962463118
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                                                                      MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                                                                      SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                                                                      SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                                                                      SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6634688
                                                                                                                                                                                                      Entropy (8bit):6.301626651290575
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:98304:wmUHFesQOQfyhqjNZfjVuo95zBx2GQz4sni:wmme9OQ7jVuKDYGCRi
                                                                                                                                                                                                      MD5:D64EF8F62E694FC68A53CF8CA44CB6FB
                                                                                                                                                                                                      SHA1:67B8FEF4496A6C75300B3FCE6641FD5C37B38743
                                                                                                                                                                                                      SHA-256:2C988B1FBB5A1FD4C8C6745DFBA4E9F54715DB32BD4AC9DBB157316C83B20833
                                                                                                                                                                                                      SHA-512:251531483999B13613E036E290D67BB1A7C5829A3CB9742AE9CD1D1A782691AFECE80031772862BEB6C58DEA6C11924E09067EF03D972D41C6EF0AE701B53E2D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A..}...}...}.......}.......}...|...}.......}.......}.......}.......}.......}.......}.......}.Rich..}.........................PE..d...2.Uf..........#..........4.................@..............................j......e.....................................................d............_..p.j.pt..`.e.`)......................................................................@................... ............................ ..` ............................@..@ ............................@... Xt...p...@...(..............@..@ .........>...h..............@..@.idata..............................@....rsrc....`.......`..................@..@.themida..`.......`.................`...................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):2172216
                                                                                                                                                                                                      Entropy (8bit):6.709878039513874
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:49152:LkUFbvVrZuxV5fzo+y+9gjhYhptvwdRezosg:LpbvVrZud7o+yV2dvwn
                                                                                                                                                                                                      MD5:0FFE29C5EFF5BD3E25142A388FBEDB5A
                                                                                                                                                                                                      SHA1:23869F53B974BD0AB6EB08C90F48E900AD7BEBD6
                                                                                                                                                                                                      SHA-256:4C2D7F9ED2F8E2A55C2D6E34F1BBAC74DC3606168010E798C3249A43EB4E9B98
                                                                                                                                                                                                      SHA-512:8A3E613B9ED7AFD698E5AF3B676FE8ED147992D80B8748D68CA4C380CE6C3D6EADFFE410C31438EE13FC2C31C4844D5A610FA9E3AEFB6A8C68537C7EC852DE36
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6..~X..~X..~X.W1..~X..5..~X..#..~X..~Y.\|X.....~X.....|X...._~X..,..~X.....~X..,..~X.....~X.Rich.~X.........................PE..L...[{.f.................D..................`....@...........................!......0!...@.....................................@........C............ .8).... .h....h...............................#..@............`..........@....................text....B.......D.................. ..`.rdata...t...`...v...H..............@..@.data............j..................@....rsrc....C.......D...(..............@..@.reloc........ ......l..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizvera1_ca.crt (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PEM certificate
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1212
                                                                                                                                                                                                      Entropy (8bit):5.904728962463118
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                                                                      MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                                                                      SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                                                                      SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                                                                      SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizvera_ca.crt (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PEM certificate
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1212
                                                                                                                                                                                                      Entropy (8bit):5.916479117884784
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:LrcYw2/a2YVdQ/UX0lVzngeJu3W/Jkek2LN7SP4StSfn6vBdKZLEeaaF9gZ+cdQJ:LrcYitqMX0Xn3u3Wpx7Q4rP6vB8+eaaR
                                                                                                                                                                                                      MD5:7A65B4226F7B4F594BB4800E3B0996C6
                                                                                                                                                                                                      SHA1:5008A17A4426675A5781980151F0F2D06F31CC77
                                                                                                                                                                                                      SHA-256:905C65B5D8E5436932FE9EE5781EBC26E26B9E302790689058E48BDA376DDFA5
                                                                                                                                                                                                      SHA-512:09FA5AB2EA077DC2A27C2E421A0AECD525EC0BBE27E6442177CA48C753AE74811F8C1851CAB376BDD09E616C318D09CDDCB4A79861FC716FC2CA37123ACFD3CA
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUILvrdIUnrqol+zgZJt6NwgcQK3EwDQYJKoZIhvcNAQEL.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMjAeFw0xOTEwMjMwMzA0MDhaFw00MDA1MDUwMzA0MDhaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz2gYPOFaP.Wm2V8uuiVs9M27qX/WYE5zrvyJkYfC3Y0fHA+o+MT8aaBa/m5LeWT2HDtnt29dL/.c/nXoBPKuRYKlOZELxTNeeiuIIKIdFwPYygMdW3PI9OButbubBf8BO9RMlFt1ydB.Mrh9r7UZ4WM4qv/d2iCEhDDuzi9M57h38Wc4QE24bPKx3e3tCDiPkOZQcmG48HZp.sX/itfeXFBGtBwF1QepTpOb9KL+CLkpmhVr7h8BwuNHuH/kN7BSqRi/ttbF0Ocp6.m5AiHtVMZvTY4hestoaz9fAwZTjorOhIGFzK4vgoONf6NYE959Mq9CCp9UDhZF3n.lcmLd9uMb0JnAgMBAAGjUzBRMB0GA1UdDgQWBBRV6Uh2vggtl8ZWWlULp7QQSxT2.ojAfBgNVHSMEGDAWgBRV6Uh2vggtl8ZWWlULp7QQSxT2ojAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCIDg1a0Ke17EVx1xsbrFjYsD2+XR9dy5O.Sy7CPWHBdQvwtYIQtgBhmPBmlQWHGl8EB4w6NfkKr8TTkmY42FicLEE7lEhGlHxJ.k1AimQsGMfNzVkm/yoJTvFhYspgyD+KqNj1r6fh4+Iij5BahOr+1fVTZOS5Od4

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe (copy)

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):5848896
                                                                                                                                                                                                      Entropy (8bit):7.994878119676408
                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                      SSDEEP:98304:2u33UC7GOvq8jDuqywJBcm+d4wiysY1JBW99qu1EQd71YUfxt1adDJYGBo:2ufGOv5jDVywjcLrBsY13GEUyUf0ZbS
                                                                                                                                                                                                      MD5:EA18C971818F833249090BB8B11F72C3
                                                                                                                                                                                                      SHA1:9F1F166751452A2F9286DA2EC79092F031029617
                                                                                                                                                                                                      SHA-256:D2B17C8815A7E2E5F96C5A8DE96E949EDF4F4009EB9941A0B8A472D6A59A62EF
                                                                                                                                                                                                      SHA-512:A8D5DDE31BC4431ECF94D02891F3993AC4C10F60D4B5EA7FEEBB35C0CEA0E2A6D8A9D9E54B4EE1506B1C0A2B1A2DFC2C2CB4D67835F76FD0C444FCF95D67E7FA
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..................................... ....@..........................p.......SY..........@....................................................Y.P,...........................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@.............p......................@..@........................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):6144
                                                                                                                                                                                                      Entropy (8bit):4.289297026665552
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                                                                                                      MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                                                                                                      SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                                                                                                      SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                                                                                                      SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-SK5IC.tmp\_isetup\_shfoldr.dll

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):23312
                                                                                                                                                                                                      Entropy (8bit):4.596242908851566
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                                                                      MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                                                                      SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                                                                      SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                                                                      SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                      Entropy (8bit):1.2362395355754736
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:CrvrXyA19Kh7XlH7X7uYfL97hKW57w7/COW/u4HdWqATiba7R:CrvbC7X97X7uq7X57c/G/xHWiba7R
                                                                                                                                                                                                      MD5:F644A25C8F0A9E11286279E5366174A0
                                                                                                                                                                                                      SHA1:3105D0B8C2CF9227CD34C76301796CB7F529D13F
                                                                                                                                                                                                      SHA-256:61D62C308365C39609A676E90B9ADC61CB42AB63702B99EA15FD797F5740BB7F
                                                                                                                                                                                                      SHA-512:F1AEDF84B4CC6046F900DC3027085B6C6FE813E312A0C790499E1944B0BF3E947F25F5457094873A7E344E7A2C2285BAEEF8C8CD2684A041D5003C4E8CC2064D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:...a..........@..................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 2, database pages 10, cookie 0x5, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):10240
                                                                                                                                                                                                      Entropy (8bit):2.501478360190244
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:hvKXzkVmvQhyn+ZoQfqlQbGhMHPaVAL23v8GPS2TL:hozkVmvQhyn+ZooGa23
                                                                                                                                                                                                      MD5:C9CF9084265E93FC60D724165800A694
                                                                                                                                                                                                      SHA1:EC540117704B73135A8CBAF802D33D80C033456A
                                                                                                                                                                                                      SHA-256:C725F3167F68C46816B4BE16A9D4354600B8C6D39F0415865BD07BD012E6FE39
                                                                                                                                                                                                      SHA-512:5721784E18F2DF7F2D28E634E26BC342796B218376F0AD950DB7AE664B70CB8086382C9CD4FF1F02C540735189DE0C43BB044173154086D9BDEF43FB0FD5F8E3
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:SQLite format 3......@ .........................................................................-.'.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................1...E...indexsqlite_autoindex_n

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db-journal

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                      Size (bytes):6704
                                                                                                                                                                                                      Entropy (8bit):0.4410264672451485
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6:mldksX7l897s4oztlySl897s4oztl3K0XtlQUl/M6pgn7q34/vmM0:Rkq972t0N972tlnXtaupgn3GM0
                                                                                                                                                                                                      MD5:C1056C59315AE2B5784B8DE693032751
                                                                                                                                                                                                      SHA1:E9E09977C68F1156F68FB8341917FCFB4E563820
                                                                                                                                                                                                      SHA-256:40B06B968EE18E0917AB6FCBB4732A9B6E92C1E5E58534EFAB995079480D3951
                                                                                                                                                                                                      SHA-512:D745E37A1FE02BB14D57FEA19410B45B828014AEBB7EBF8842D473E9CB8A7981E748580CA034DB25EB4C4693485194DC7CB93A485920F0932C9E6221B93FF64D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:............^\..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key3.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                      Entropy (8bit):1.0620566074984352
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:Lt/hV/plfltt/lE9lllnldl/lyGltdl/l8/fNDqLrT0V8AUqgRpbw8aRay:5X9cvV3Xy/fg8RUBR+LD
                                                                                                                                                                                                      MD5:4B003872CF5606DAC86A9D37C06DE851
                                                                                                                                                                                                      SHA1:91332CB46790C6CC12C4B9BA458B2891BD80B244
                                                                                                                                                                                                      SHA-256:D4C3CE6B099FA7D9EC228BA2CAF8B36B33EAD3597203AB50084740C8C7C2161A
                                                                                                                                                                                                      SHA-512:B78C7AEB96AA0E37F72685CAC458ADB4FF684140682F61B30A9BAF429C84193FB92C29251445B5CEEAE39EEEE533B49B9B45506A45CF44EA804E79E810402F0D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 1, database pages 9, cookie 0x5, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):9216
                                                                                                                                                                                                      Entropy (8bit):1.4343584400685017
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:OvKXzkVmvQhyn+ZoQfqlQbGhMHPaVAL23v8:OozkVmvQhyn+Zoo
                                                                                                                                                                                                      MD5:E45C3FB0F28FE6590E3D75C785E65C1F
                                                                                                                                                                                                      SHA1:D96690392E6428CAC59BBAA9B2BCDBAC27E683E5
                                                                                                                                                                                                      SHA-256:020B3C13B4DC97A12AF70E1330D364FF2B17D08B6E4F607F3527EBCF962A2421
                                                                                                                                                                                                      SHA-512:BE49505ABD641BFD4A1BF6698578DAB5951DBD1B254CF540F863F586A76576833D9F52F82810B047582FF379884D7452085B277132E6627C7FBC4733A0246E2F
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:SQLite format 3......@ .........................................................................-.'...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................3...G!..indexsqlite_autoindex_nss

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\key4.db-journal

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:SQLite Rollback Journal
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                      Entropy (8bit):0.28499812076190567
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:7FEG2l/gaw/Hlxll:7+/l/4
                                                                                                                                                                                                      MD5:02B1B7E830304CEF9C268BAB53A8B0F1
                                                                                                                                                                                                      SHA1:911CE2FBC23E348DE0CBB699B343C78B2B9EDE07
                                                                                                                                                                                                      SHA-256:B7D331E5A15A7DE205C734E863A7014B5E1CEECFE4138AA01415F425643C09AC
                                                                                                                                                                                                      SHA-512:27ED20A3379EAFC69FD707EE3F67B30A715BB13475BF0578DBD5F5CD6C8F28BC2AE089D9EFAA3E2252675D84F8B68539B0AF0A4F1275212639CDBAA3A378738D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:.... .c.......i.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txt

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):488
                                                                                                                                                                                                      Entropy (8bit):5.320628578226095
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:T4LwvfU2LDcGuyrJv7vEPJDthxq429+BOlMMN:T4LwvfUzGwj2Gyh
                                                                                                                                                                                                      MD5:B99D3583C6DDFE54E4E1DB6BDC93AC29
                                                                                                                                                                                                      SHA1:6FF823D6C3761506ABA81DF72AAE0396D324C22C
                                                                                                                                                                                                      SHA-256:5AB8B78C1F366189DCEF0AC930E2FEF3C296A84BB1E9F44F88B149B4EEC3D7D8
                                                                                                                                                                                                      SHA-512:0A98F545FB54D4795D338F555DF79AD06BA99E9EB93DBEB9F99259463597384675239262C82F92E12579DF9668AC65D74FB146AF7BB18783BC33CD9A8B5DB058
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:.\\' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] } Flags=internal,critical....library=.\/nssckbi.dll..name=Root Certs..NSS=trustOrder=100 ....

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\pkcs11.txu

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):421
                                                                                                                                                                                                      Entropy (8bit):5.31978933293004
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6:EO4LLbAkm74+U2WMDAh9LGVEyqQDACAMLycmUatZr+Wkv1gX06feNWIuthIoJp/s:T4LwvfU2LDcGuyrJv7vEPJDthxq429+M
                                                                                                                                                                                                      MD5:1649BFBECBDCD7130B69D542B253555A
                                                                                                                                                                                                      SHA1:9D49992FF2694EA015BDAF9D99B419B3A49075BB
                                                                                                                                                                                                      SHA-256:E99DFC28DFC2F25B29DE94048531054BEAEC02DBCE322245522BE43B7C5B03CB
                                                                                                                                                                                                      SHA-512:99AEE8ABCAF391650E10B36EDA352AD3FB8F7C7F0B6B993C92BF47E0D54F04809B77ABE74E391B8097C7D525D2199D13A30AB37DB3B97389D4E305E511F2756B
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:.\\' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] } Flags=internal,critical....

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\secmod.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                      Entropy (8bit):1.0405977878391515
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6:5X9cvV3Xy/XKyrXsXSlxlX8ibAkm7f2WMDAh9LGVEyqQDACAMLycmUatZPNL9bAn:5NGV3Xy/NZXWviLDcGuyrJvGLOvP
                                                                                                                                                                                                      MD5:034E4E79FD530376E7B0A15C125D034C
                                                                                                                                                                                                      SHA1:7EB364455CC62774D7A546C0E75C66F89AEA47EF
                                                                                                                                                                                                      SHA-256:74E05369CFF695440FA16A2085CEFB013CC2A40327858D3F57ECB05F976A8D2D
                                                                                                                                                                                                      SHA-512:67E2F5FDA202E325B55C1A08A9B7AAACE4FCA2B4E709FD416311089A68F089DA263CDAC60D3D9FEC7077F392AE96A16BCF2BDDFD78375B4B3DB0A91D1D99713E
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert8.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                      Entropy (8bit):1.2362395355754736
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:24:CrvrXyA19Kh7XlH7X7uYfL97hKW57w7/COW/u4HdWqATiba7R:CrvbC7X97X7uq7X57c/G/xHWiba7R
                                                                                                                                                                                                      MD5:F644A25C8F0A9E11286279E5366174A0
                                                                                                                                                                                                      SHA1:3105D0B8C2CF9227CD34C76301796CB7F529D13F
                                                                                                                                                                                                      SHA-256:61D62C308365C39609A676E90B9ADC61CB42AB63702B99EA15FD797F5740BB7F
                                                                                                                                                                                                      SHA-512:F1AEDF84B4CC6046F900DC3027085B6C6FE813E312A0C790499E1944B0BF3E947F25F5457094873A7E344E7A2C2285BAEEF8C8CD2684A041D5003C4E8CC2064D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:...a..........@..................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 32768, file counter 13, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 13
                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                      Size (bytes):229376
                                                                                                                                                                                                      Entropy (8bit):0.7155880775240049
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:Y1zkVmvQhyn+Zoz67NvNlwMMb333JJN81/LKXxkIDgK:YkvUMWCIkK
                                                                                                                                                                                                      MD5:13818C012EB709AD91A6CAC73F85C816
                                                                                                                                                                                                      SHA1:467A107F8391E282D753392B90502A340711D449
                                                                                                                                                                                                      SHA-256:1CE9CD65877CB094A45FACBE759C64840238A9FEED9CE6B2BDAE003F2368D9C0
                                                                                                                                                                                                      SHA-512:F21681F67DC028B49450F081024A81E0D6CE56A95C4109DDD457A096B8DFB8472B0EDB257FA94154C1D37F03C2CEFC1EBB2404A1456C1D3089D13C2655E2F57F
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:SQLite format 3......@ .........................................................................-.'.....z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:SQLite Rollback Journal
                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                      Size (bytes):229944
                                                                                                                                                                                                      Entropy (8bit):0.7160309934615812
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:384:7okfDZKvNlwMMb333JJN81/LKX9X1zkVmvQhyn+Zoz67m:zKvUMWCIZX
                                                                                                                                                                                                      MD5:5292F31B03B0114849593FC288B55FB0
                                                                                                                                                                                                      SHA1:50B2B4411EB040C720FD235189ADE5C37519D5F2
                                                                                                                                                                                                      SHA-256:D3FADA6F7F13590D38F9D89AB5B3A6ABC6C55F6200632261D884EE63185F7732
                                                                                                                                                                                                      SHA-512:FA5D9193D504D74B0EAACEE6631C0F6BE821A91559BC01DCD4B9E353FC3FB11A61BF6BD2D5049E583142096FE6C615E9C338AF28718283275108DA4669AEDEA3
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:.... .c.....h.o.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key3.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                      Entropy (8bit):1.0621326031342895
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:Lt/hV/plfltt/lE9lllnldl/lyGltdl/l8/fNDqLuoiF/CEkBgRpbw8aRay:5X9cvV3Xy/f/oi5RbR+LD
                                                                                                                                                                                                      MD5:29629F6F744343349EDCCFE7BA724C98
                                                                                                                                                                                                      SHA1:522481168F720B8F10DED84BA06B52D7991406E2
                                                                                                                                                                                                      SHA-256:D0D54FF4EBEE263CF16C4C389AA7CC68E6138CC665FF266A70C1D67B014B84C5
                                                                                                                                                                                                      SHA-512:46E59EA8B08D5C3BA26B56340D582AACFD77E3410A223842414105A11BCFA0036E3C7E4557A3170DA9CBA0D4627EA7D346A4242B04F1770784B92D95D0CD8F0C
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 32768, file counter 4, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):294912
                                                                                                                                                                                                      Entropy (8bit):0.21511308392297485
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:xva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vefbcxBd20vrlt8:x1zkVmvQhyn+Zoz67sx9v/8
                                                                                                                                                                                                      MD5:88A755FAD2AE107C7237C7AD115A0BC2
                                                                                                                                                                                                      SHA1:3FC90A659E9749BB133C7CBAFB557A7938CCE7AF
                                                                                                                                                                                                      SHA-256:8E829AE2A8314E8536037370AAF3ABBD4BB00FD0BEB33A3217C86C70EF83E161
                                                                                                                                                                                                      SHA-512:763A639E9F05D592CC7AC55871983EB46B53765316F6F35F00EEE691672617B26F17C1F2859A70D3B72B4046808E1FFB06CD2C901B501914985F87C43669C14D
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:SQLite format 3......@ .........................................................................-.'.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:SQLite Rollback Journal
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):98840
                                                                                                                                                                                                      Entropy (8bit):0.4073809050652363
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:192:7mF0vrlIyva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v9:7mevKy1zkVmvQhyn+Zoz67M
                                                                                                                                                                                                      MD5:6916A6BEEA65F1C658ED742D1174B1E3
                                                                                                                                                                                                      SHA1:E20641E09D70BC34BEC334B1E42F5BA49B5AE94D
                                                                                                                                                                                                      SHA-256:DCBBAD5ED53CBBFD149EC14745E9009CF94AEFE8B6919964174B5EA0E9D2F43F
                                                                                                                                                                                                      SHA-512:CC1A99E1810051A51CF16B974583E4A3CCFA122D0F83BBC3F049E25B8D1FA4ECD1154F9FEB470516B235AFFD5508601C6E3484B5EAF6C8BAD394FEC91C2CB2CF
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:.... .c.......s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................:.....x.....Y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txt

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):583
                                                                                                                                                                                                      Entropy (8bit):5.365979404587368
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:T4Lwvf1cqOudh/aY82LDcGuyXkvsUvE+LK5H4liOlMMN:T4Lwvf1nP5abzHVG2wyh
                                                                                                                                                                                                      MD5:9FD551859E7881014F72255CD3C86BF3
                                                                                                                                                                                                      SHA1:A60BF0E36B20CD64CC4A18F76E22F3C15B4C2414
                                                                                                                                                                                                      SHA-256:9E6BA17C69C1BE63917C9997F453B33FB6CAA3CBC558D8AA8727E6093C67874F
                                                                                                                                                                                                      SHA-512:5BC1F7F5EE1C2C69FD4378CA9C511914E7428ED5C80C677EACA3C08BE80FD0E27E76E94A580B379D3BCFFD9AB0F69616A9933BE2A54CEC0777004EBBDACF8D54
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\sp4c0p22.default-release' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})....library=.\/nssckbi.dll..name=Root Certs..NSS=trustOrder=100 ....

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txu

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):516
                                                                                                                                                                                                      Entropy (8bit):5.357466412949027
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:12:T4Lwvf1cqOudh/aY82LDcGuyXkvsUvE+LK5H4ll:T4Lwvf1nP5abzHVG2D
                                                                                                                                                                                                      MD5:A5A070F62EF5E5D0C6B89866A3A874B8
                                                                                                                                                                                                      SHA1:6A778818FC933B906610069D237C5812C6A12569
                                                                                                                                                                                                      SHA-256:3E72C5340BE7EDD492F2EE1241CB9EF7439A7AAB3A1887B44281D0ECDB8863E2
                                                                                                                                                                                                      SHA-512:1600D27F79923A481065EB6E8925CAEFB5B92D5F95A69E91652610832DBCDB37D82A7E2E7827C0B4E29AAF725B21C6864FC6C49AEE8DFFB8FE0CC6A62AA30AB7
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\sp4c0p22.default-release' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})....

                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\secmod.db

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                      Entropy (8bit):1.0405977878391515
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:6:5X9cvV3Xy/XKyrXsXSlxlX8ibAkm7f2WMDAh9LGVEyqQDACAMLycmUatZPNL9bAn:5NGV3Xy/NZXWviLDcGuyrJvGLOvP
                                                                                                                                                                                                      MD5:034E4E79FD530376E7B0A15C125D034C
                                                                                                                                                                                                      SHA1:7EB364455CC62774D7A546C0E75C66F89AEA47EF
                                                                                                                                                                                                      SHA-256:74E05369CFF695440FA16A2085CEFB013CC2A40327858D3F57ECB05F976A8D2D
                                                                                                                                                                                                      SHA-512:67E2F5FDA202E325B55C1A08A9B7AAACE4FCA2B4E709FD416311089A68F089DA263CDAC60D3D9FEC7077F392AE96A16BCF2BDDFD78375B4B3DB0A91D1D99713E
                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                      Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                      Size (bytes):4926
                                                                                                                                                                                                      Entropy (8bit):3.2494509078947087
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:48:FaqdF78F7B+AAHdKoqKFxcxkFiF7KaqdF78s+AAHdKoqKFxcxkFyy:cEOB+AAsoJjykePEv+AAsoJjykF
                                                                                                                                                                                                      MD5:BBB84C56497CC1480EAE7D688DB7F65B
                                                                                                                                                                                                      SHA1:6A745CFF93D046F03135482384A5C16D8FBDF2B1
                                                                                                                                                                                                      SHA-256:CA6DC1D61504DB2412AF5810AB7FCE240EFCE79C601338032CC4D9073F82DD03
                                                                                                                                                                                                      SHA-512:3B85A0176E9997B5AB2ACD60A1059475AA13DDC3B8212C62EB345045B66437380BC8ADD5E4F249AAE2FD4D44015774D4720C2B248B0F44EF79F04A33ADE1334A
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                                                                                      \Device\ConDrv

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):7
                                                                                                                                                                                                      Entropy (8bit):2.2359263506290326
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:3:t:t
                                                                                                                                                                                                      MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                                                                                                                                                                      SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                                                                                                                                                                      SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                                                                                                                                                                      SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Preview:Ok.....

                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                      Entropy (8bit):7.999727070686982
                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                      File name:veraport-g3-x64.exe
                                                                                                                                                                                                      File size:29'273'808 bytes
                                                                                                                                                                                                      MD5:d8ab34d9e288b2d5b3ea326dd6a650a1
                                                                                                                                                                                                      SHA1:8cf181bcaef90594c8ba50b0e47927957b7f3e13
                                                                                                                                                                                                      SHA256:ba1863828de1f75bb051fb3b84437a3b765c4c49bce7b7a68277ca34dd4f6d2e
                                                                                                                                                                                                      SHA512:7a8f87c09f8e434ed94dc41a7ba45ff3282e07676d3769c7faf5baa2e28343925ceedaa3074d53beed2715658c259f5f8d9c5e6e5fd66ddfe7c3b7b43002c967
                                                                                                                                                                                                      SSDEEP:786432:HKBYhZRBtV1bUh4DpnivPqvwGr3LlMpZoJnqUzuY8es2X:HHrtVF6Upiqvwi3xsZkqUaH2X
                                                                                                                                                                                                      TLSH:425733A25653747CDAA5697C319156481CCBB6560EF311FE2CB1E9CCAF33AA5083B338
                                                                                                                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Entrypoint:0x4113bc
                                                                                                                                                                                                      Entrypoint Section:.itext
                                                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                      Time Stamp:0x5698AC5A [Fri Jan 15 08:22:50 2016 UTC]
                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                      File Version Major:5
                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                      Import Hash:48aa5c8931746a9655524f67b25a47ef

                                                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                                                      Signature Valid:true
                                                                                                                                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                      Error Number:0
                                                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                                                      • 27/08/2023 20:00:00 17/09/2026 19:59:59
                                                                                                                                                                                                      Subject Chain
                                                                                                                                                                                                      • CN="WIZVERA Co., Ltd.", O="WIZVERA Co., Ltd.", L=Seongdong-gu, S=Seoul, C=KR, SERIALNUMBER=110111-3810929, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Seoul, OID.1.3.6.1.4.1.311.60.2.1.3=KR
                                                                                                                                                                                                      Version:3
                                                                                                                                                                                                      Thumbprint MD5:D11BF73855DAD71E2DBB41EEBF606BE1
                                                                                                                                                                                                      Thumbprint SHA-1:DA34AF2AA72AD28B7581E7EF377EDD0E7E449B5D
                                                                                                                                                                                                      Thumbprint SHA-256:E2939621E71BF2FC88AAE7D003949838715021FD4F5646350F1FBFFE728402CE
                                                                                                                                                                                                      Serial:0A6804A1E1DDBB28227470CF4FFB56F5

                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                      add esp, FFFFFFA4h
                                                                                                                                                                                                      push ebx
                                                                                                                                                                                                      push esi
                                                                                                                                                                                                      push edi
                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                      mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                                      mov dword ptr [ebp-40h], eax
                                                                                                                                                                                                      mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                                      mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                      mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                      mov dword ptr [ebp-34h], eax
                                                                                                                                                                                                      mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                                      mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                      mov dword ptr [ebp-14h], eax
                                                                                                                                                                                                      mov eax, 00410034h
                                                                                                                                                                                                      call 00007FD0C4B9D75Dh
                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                      push 00411A9Eh
                                                                                                                                                                                                      push dword ptr fs:[eax]
                                                                                                                                                                                                      mov dword ptr fs:[eax], esp
                                                                                                                                                                                                      xor edx, edx
                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                      push 00411A5Ah
                                                                                                                                                                                                      push dword ptr fs:[edx]
                                                                                                                                                                                                      mov dword ptr fs:[edx], esp
                                                                                                                                                                                                      mov eax, dword ptr [00415B48h]
                                                                                                                                                                                                      call 00007FD0C4BA5D93h
                                                                                                                                                                                                      call 00007FD0C4BA58E2h
                                                                                                                                                                                                      cmp byte ptr [00412ADCh], 00000000h
                                                                                                                                                                                                      je 00007FD0C4BA857Eh
                                                                                                                                                                                                      call 00007FD0C4BA5EA8h
                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                      call 00007FD0C4B9B7F5h
                                                                                                                                                                                                      lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                      call 00007FD0C4BA2957h
                                                                                                                                                                                                      mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                                      mov eax, 00418654h
                                                                                                                                                                                                      call 00007FD0C4B9BDCAh
                                                                                                                                                                                                      push 00000002h
                                                                                                                                                                                                      push 00000000h
                                                                                                                                                                                                      push 00000001h
                                                                                                                                                                                                      mov ecx, dword ptr [00418654h]
                                                                                                                                                                                                      mov dl, 01h
                                                                                                                                                                                                      mov eax, dword ptr [0040BF3Ch]
                                                                                                                                                                                                      call 00007FD0C4BA3242h
                                                                                                                                                                                                      mov dword ptr [00418658h], eax
                                                                                                                                                                                                      xor edx, edx
                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                      push 00411A06h
                                                                                                                                                                                                      push dword ptr fs:[edx]
                                                                                                                                                                                                      mov dword ptr fs:[edx], esp
                                                                                                                                                                                                      call 00007FD0C4BA5E06h
                                                                                                                                                                                                      mov dword ptr [00418660h], eax
                                                                                                                                                                                                      mov eax, dword ptr [00418660h]
                                                                                                                                                                                                      cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                      jne 00007FD0C4BA85BAh

                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x190000xdd0.idata
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xb200.rsrc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1be85700x2960
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x1b0000x18.rdata
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x192fc0x20c.idata
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                      Sections

                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                      .text0x10000xf1340xf2001a600bbd86f701d3e6b2978b57906082False0.5509588068181818data6.391694459148975IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .itext0x110000xb440xc000b6f227afa44fd825f60bccacb9073bfFalse0.59375data5.743051976404321IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .data0x120000xc880xe00da9cb156b6104ba552cb70804b8a50a3False0.24832589285714285data2.2475330543602805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .bss0x130000x56b80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .idata0x190000xdd00xe0093d91a2b90e60bd758fc0c4908856ae1False0.36439732142857145data4.97188203376719IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .tls0x1a0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                      .rdata0x1b0000x180x2003dffc444ccc131c9dcee18db49ee6403False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .rsrc0x1c0000xb2000xb2005de8036a5e2c45688e6b20534b9c58b8False0.177953827247191data4.14117642766304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                      Resources

                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                      RT_ICON0x1c41c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                                                                                                                      RT_ICON0x1c5440x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                                                                                                                      RT_ICON0x1caac0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                                                                                                                      RT_ICON0x1cd940x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                                                                                                                      RT_STRING0x1d63c0x68data0.6538461538461539
                                                                                                                                                                                                      RT_STRING0x1d6a40xd4data0.5283018867924528
                                                                                                                                                                                                      RT_STRING0x1d7780xa4data0.6524390243902439
                                                                                                                                                                                                      RT_STRING0x1d81c0x2acdata0.45614035087719296
                                                                                                                                                                                                      RT_STRING0x1dac80x34cdata0.4218009478672986
                                                                                                                                                                                                      RT_STRING0x1de140x294data0.4106060606060606
                                                                                                                                                                                                      RT_RCDATA0x1e0a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                                                                                                                                      RT_RCDATA0x263900x10data1.5
                                                                                                                                                                                                      RT_RCDATA0x263a00x150data0.8333333333333334
                                                                                                                                                                                                      RT_RCDATA0x264f00x2cdata1.1818181818181819
                                                                                                                                                                                                      RT_GROUP_ICON0x2651c0x3edataEnglishUnited States0.8387096774193549
                                                                                                                                                                                                      RT_VERSION0x2655c0x4f4dataEnglishUnited States0.26735015772870663
                                                                                                                                                                                                      RT_MANIFEST0x26a500x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                                                                                      Imports

                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                                                                      advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                                                                                                                      user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                                                                                                                      kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                                                                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                                                                                                                      user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                                                                                                                                                      kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
                                                                                                                                                                                                      advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                                                                                                                                                      comctl32.dllInitCommonControls
                                                                                                                                                                                                      kernel32.dllSleep
                                                                                                                                                                                                      advapi32.dllAdjustTokenPrivileges

                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                      DutchNetherlands
                                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                      No network behavior found

                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                      Start time:22:18:31
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\Desktop\veraport-g3-x64.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\veraport-g3-x64.exe"
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      File size:29'273'808 bytes
                                                                                                                                                                                                      MD5 hash:D8AB34D9E288B2D5B3EA326DD6A650A1
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                                      Start time:22:18:31
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-79CR3.tmp\veraport-g3-x64.tmp" /SL5="$60386,28872543,119296,C:\Users\user\Desktop\veraport-g3-x64.exe"
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      File size:1'177'088 bytes
                                                                                                                                                                                                      MD5 hash:6A96BEF4679E16A54B4090E74664DCCA
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                      • Detection: 3%, ReversingLabs
                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                      Start time:22:18:35
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                                                      Imagebase:0x7ff62c440000
                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                      Start time:22:18:35
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                                                                      Imagebase:0x7ff7648e0000
                                                                                                                                                                                                      File size:329'504 bytes
                                                                                                                                                                                                      MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                      Start time:22:18:35
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                                      Imagebase:0x7ff62c440000
                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                      Start time:22:18:36
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                                                                                      Imagebase:0x7ff62c440000
                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                      Start time:22:18:36
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                                                      Imagebase:0x7ff62c440000
                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                      Start time:22:19:33
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\sc.exe" stop WizveraPMSvc
                                                                                                                                                                                                      Imagebase:0x7ff6e6500000
                                                                                                                                                                                                      File size:72'192 bytes
                                                                                                                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                      Start time:22:19:33
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                      Start time:22:19:34
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /addloopback
                                                                                                                                                                                                      Imagebase:0x140000000
                                                                                                                                                                                                      File size:6'634'688 bytes
                                                                                                                                                                                                      MD5 hash:D64EF8F62E694FC68A53CF8CA44CB6FB
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                      Start time:22:19:35
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\CheckNetIsolation.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
                                                                                                                                                                                                      Imagebase:0x7ff734d40000
                                                                                                                                                                                                      File size:30'208 bytes
                                                                                                                                                                                                      MD5 hash:03CF7163B4837A001BD4667A8880D6CD
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                      Start time:22:19:35
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                      Start time:22:19:36
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                      Imagebase:0x7ff6b2720000
                                                                                                                                                                                                      File size:468'120 bytes
                                                                                                                                                                                                      MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                      Start time:22:19:36
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                      Start time:22:19:36
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-EK596.tmp\veraport20unloader.exe" /link
                                                                                                                                                                                                      Imagebase:0x140000000
                                                                                                                                                                                                      File size:6'634'688 bytes
                                                                                                                                                                                                      MD5 hash:D64EF8F62E694FC68A53CF8CA44CB6FB
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe
                                                                                                                                                                                                      Imagebase:0x7ff687ee0000
                                                                                                                                                                                                      File size:101'376 bytes
                                                                                                                                                                                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\System32\taskkill.exe" /f /im veraport.exe
                                                                                                                                                                                                      Imagebase:0x7ff687ee0000
                                                                                                                                                                                                      File size:101'376 bytes
                                                                                                                                                                                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe
                                                                                                                                                                                                      Imagebase:0x7ff687ee0000
                                                                                                                                                                                                      File size:101'376 bytes
                                                                                                                                                                                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:22
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6d4dc0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:23
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\System32\taskkill.exe" /f /im verainagent.exe
                                                                                                                                                                                                      Imagebase:0x7ff687ee0000
                                                                                                                                                                                                      File size:101'376 bytes
                                                                                                                                                                                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:24
                                                                                                                                                                                                      Start time:22:19:38
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:25
                                                                                                                                                                                                      Start time:22:19:49
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
                                                                                                                                                                                                      Imagebase:0x7ff6a5250000
                                                                                                                                                                                                      File size:25'088 bytes
                                                                                                                                                                                                      MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:26
                                                                                                                                                                                                      Start time:22:19:50
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll
                                                                                                                                                                                                      Imagebase:0x7ff76e4a0000
                                                                                                                                                                                                      File size:235'240 bytes
                                                                                                                                                                                                      MD5 hash:AA4EF1C182A79F24B519167C41FAB32E
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                                      Start time:22:19:50
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:28
                                                                                                                                                                                                      Start time:22:19:51
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wizcertutil.exe" /force /gencert /target veraport
                                                                                                                                                                                                      Imagebase:0xb90000
                                                                                                                                                                                                      File size:2'172'216 bytes
                                                                                                                                                                                                      MD5 hash:0FFE29C5EFF5BD3E25142A388FBEDB5A
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:29
                                                                                                                                                                                                      Start time:22:19:54
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:30
                                                                                                                                                                                                      Start time:22:19:54
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:31
                                                                                                                                                                                                      Start time:22:19:55
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:32
                                                                                                                                                                                                      Start time:22:19:55
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:33
                                                                                                                                                                                                      Start time:22:19:56
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:34
                                                                                                                                                                                                      Start time:22:19:56
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:35
                                                                                                                                                                                                      Start time:22:19:56
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:36
                                                                                                                                                                                                      Start time:22:19:56
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:37
                                                                                                                                                                                                      Start time:22:19:57
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:38
                                                                                                                                                                                                      Start time:22:19:57
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:39
                                                                                                                                                                                                      Start time:22:19:58
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:40
                                                                                                                                                                                                      Start time:22:19:58
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:41
                                                                                                                                                                                                      Start time:22:19:58
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:42
                                                                                                                                                                                                      Start time:22:19:58
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:43
                                                                                                                                                                                                      Start time:22:19:59
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:44
                                                                                                                                                                                                      Start time:22:19:59
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:45
                                                                                                                                                                                                      Start time:22:20:00
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d .\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:46
                                                                                                                                                                                                      Start time:22:20:00
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:47
                                                                                                                                                                                                      Start time:22:20:00
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:48
                                                                                                                                                                                                      Start time:22:20:00
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:49
                                                                                                                                                                                                      Start time:22:20:01
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -L -d sql:.\
                                                                                                                                                                                                      Imagebase:0x7ff683870000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:50
                                                                                                                                                                                                      Start time:22:20:01
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:51
                                                                                                                                                                                                      Start time:22:20:02
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:52
                                                                                                                                                                                                      Start time:22:20:02
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:53
                                                                                                                                                                                                      Start time:22:20:03
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:54
                                                                                                                                                                                                      Start time:22:20:03
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:55
                                                                                                                                                                                                      Start time:22:20:03
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\nss_new\certutil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"c:\users\user\appdata\local\temp\is-ek596.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                      File size:114'688 bytes
                                                                                                                                                                                                      MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:56
                                                                                                                                                                                                      Start time:22:20:03
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:57
                                                                                                                                                                                                      Start time:22:20:05
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENT
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      File size:5'848'896 bytes
                                                                                                                                                                                                      MD5 hash:EA18C971818F833249090BB8B11F72C3
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:58
                                                                                                                                                                                                      Start time:22:20:06
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-990HC.tmp\wpmsvcsetup.tmp" /SL5="$702DC,5451002,118784,C:\Users\user\AppData\Local\Temp\is-EK596.tmp\wpmsvcsetup.exe" /VERYSILENT
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      File size:1'170'432 bytes
                                                                                                                                                                                                      MD5 hash:63B15124BE653DBE589C7981DA9D397C
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                      • Detection: 5%, ReversingLabs
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:59
                                                                                                                                                                                                      Start time:22:20:06
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\sc.exe" stop WizveraPMSvc
                                                                                                                                                                                                      Imagebase:0xe00000
                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:60
                                                                                                                                                                                                      Start time:22:20:06
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:61
                                                                                                                                                                                                      Start time:22:20:07
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
                                                                                                                                                                                                      Imagebase:0x460000
                                                                                                                                                                                                      File size:4'758'688 bytes
                                                                                                                                                                                                      MD5 hash:50E4842EA92F74B2C82426FF562E2CCD
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:62
                                                                                                                                                                                                      Start time:22:20:08
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:63
                                                                                                                                                                                                      Start time:22:20:10
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
                                                                                                                                                                                                      Imagebase:0xe00000
                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:64
                                                                                                                                                                                                      Start time:22:20:10
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:65
                                                                                                                                                                                                      Start time:22:20:10
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
                                                                                                                                                                                                      Imagebase:0x900000
                                                                                                                                                                                                      File size:5'647'008 bytes
                                                                                                                                                                                                      MD5 hash:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:66
                                                                                                                                                                                                      Start time:22:20:11
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:67
                                                                                                                                                                                                      Start time:22:20:13
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\sc.exe" start WizveraPMSvc
                                                                                                                                                                                                      Imagebase:0xe00000
                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:68
                                                                                                                                                                                                      Start time:22:20:13
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:69
                                                                                                                                                                                                      Start time:22:20:13
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe"
                                                                                                                                                                                                      Imagebase:0x900000
                                                                                                                                                                                                      File size:5'647'008 bytes
                                                                                                                                                                                                      MD5 hash:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:70
                                                                                                                                                                                                      Start time:22:20:17
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Program Files\Wizvera\Veraport20\veraport-x64.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
                                                                                                                                                                                                      Imagebase:0x7ff64bd70000
                                                                                                                                                                                                      File size:7'671'488 bytes
                                                                                                                                                                                                      MD5 hash:FEB822E7254B73E0D4615BE26A32917F
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:71
                                                                                                                                                                                                      Start time:22:20:19
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
                                                                                                                                                                                                      Imagebase:0x7ff63bb60000
                                                                                                                                                                                                      File size:96'768 bytes
                                                                                                                                                                                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:72
                                                                                                                                                                                                      Start time:22:20:19
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:73
                                                                                                                                                                                                      Start time:22:20:19
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow
                                                                                                                                                                                                      Imagebase:0x7ff63bb60000
                                                                                                                                                                                                      File size:96'768 bytes
                                                                                                                                                                                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:74
                                                                                                                                                                                                      Start time:22:20:19
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:75
                                                                                                                                                                                                      Start time:22:20:19
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:"C:\Windows\system32\sc.exe" start WizveraPMSvc
                                                                                                                                                                                                      Imagebase:0x7ff6e6500000
                                                                                                                                                                                                      File size:72'192 bytes
                                                                                                                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:76
                                                                                                                                                                                                      Start time:22:20:19
                                                                                                                                                                                                      Start date:21/11/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff6684c0000
                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 00000001400A0000 Relevance: .4, Instructions: 416COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000010.00000002.1942521068.00000001400A0000.00000040.00000001.01000000.00000008.sdmp, Offset: 00000001400A0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_16_2_1400a0000_veraport20unloader.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e166b5c11e0176d941f5c42abaff956ebb374baff875f5c17a252976071e886b
                                                                                                                                                                                                        • Instruction ID: 445e430d60091e02f3f4e2415a3634ce357479bc5132c3baf003f4e6e0e635a4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e166b5c11e0176d941f5c42abaff956ebb374baff875f5c17a252976071e886b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CB14232AB4D0D47F35C8B59E8467E1B2C2F754320FAA41BED94DD33D2DC2D98868689

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:0.1%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                        Signature Coverage:33.1%
                                                                                                                                                                                                        Total number of Nodes:127
                                                                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                                                                        execution_graph 64198 6c721120 64243 6c721020 64198->64243 64200 6c721140 64258 6c72c290 PR_Lock 64200->64258 64202 6c72114b GlobalMemoryStatus 64203 6c72c290 44 API calls 64202->64203 64204 6c72116d GetLogicalDrives 64203->64204 64205 6c72c290 44 API calls 64204->64205 64206 6c721184 GetComputerNameA 64205->64206 64207 6c7211b1 GetCurrentProcess 64206->64207 64208 6c7211a1 64206->64208 64209 6c72c290 44 API calls 64207->64209 64210 6c72c290 44 API calls 64208->64210 64212 6c7211c7 GetCurrentProcessId 64209->64212 64211 6c7211ae 64210->64211 64211->64207 64213 6c72c290 44 API calls 64212->64213 64214 6c7211de GetCurrentThreadId 64213->64214 64215 6c72c290 44 API calls 64214->64215 64216 6c7211f5 GetVolumeInformationA 64215->64216 64217 6c721240 64216->64217 64217->64217 64218 6c72c290 44 API calls 64217->64218 64219 6c721257 64218->64219 64220 6c72c290 44 API calls 64219->64220 64221 6c721263 64220->64221 64222 6c72c290 44 API calls 64221->64222 64223 6c72126f 64222->64223 64224 6c72c290 44 API calls 64223->64224 64225 6c72127b 64224->64225 64226 6c72c290 44 API calls 64225->64226 64227 6c721299 GetDiskFreeSpaceA 64226->64227 64228 6c7212ec 64227->64228 64229 6c7212bc 64227->64229 64230 6c721020 7 API calls 64228->64230 64231 6c72c290 44 API calls 64229->64231 64232 6c7212fb 64230->64232 64233 6c7212c8 64231->64233 64234 6c72c290 44 API calls 64232->64234 64235 6c72c290 44 API calls 64233->64235 64236 6c721306 64234->64236 64237 6c7212d4 64235->64237 64276 6c75cdae 6 API calls ___raise_securityfailure 64236->64276 64239 6c72c290 44 API calls 64237->64239 64241 6c7212e0 64239->64241 64240 6c721317 64242 6c72c290 44 API calls 64241->64242 64242->64228 64244 6c721033 QueryPerformanceCounter 64243->64244 64245 6c72102c 64243->64245 64246 6c721042 memcpy 64244->64246 64245->64200 64248 6c721077 64246->64248 64249 6c721080 memcpy 64246->64249 64248->64200 64251 6c7210d3 64249->64251 64252 6c7210a5 GetTickCount 64249->64252 64251->64200 64253 6c7210b6 64252->64253 64254 6c7210bb memcpy 64252->64254 64253->64254 64254->64251 64255 6c7210dd _time64 64254->64255 64256 6c7210f0 64255->64256 64257 6c7210f5 memcpy 64255->64257 64256->64257 64257->64200 64259 6c72c2b5 64258->64259 64260 6c72c30d 64258->64260 64277 6c72bf00 36 API calls 64259->64277 64261 6c72c31e memcpy PR_Unlock 64260->64261 64262 6c72c34c 64260->64262 64261->64202 64265 6c72c355 memcpy 64262->64265 64266 6c72c36b 64262->64266 64264 6c72c2ba 64267 6c72c2e2 64264->64267 64268 6c72c2be PR_Unlock 64264->64268 64265->64266 64279 6c72bf00 36 API calls 64266->64279 64278 6c72ccd0 16 API calls 64267->64278 64268->64202 64271 6c72c376 64273 6c72c37a memcpy PR_Unlock 64271->64273 64280 6c72ccd0 16 API calls 64271->64280 64272 6c72c2f1 PR_Unlock 64272->64202 64273->64202 64276->64240 64277->64264 64278->64272 64279->64271 64280->64273 64281 6c721320 SystemFunction036 64282 6c721332 64281->64282 64283 6c7923e0 64284 6c7923ed 64283->64284 64285 6c792424 _errno 64284->64285 64286 6c792403 64284->64286 64289 6c792530 64286->64289 64288 6c792420 64290 6c792558 _errno 64289->64290 64291 6c792577 memset calloc 64289->64291 64338 6c7965da 6 API calls ___raise_securityfailure 64290->64338 64293 6c7925bc 64291->64293 64294 6c79259c _errno 64291->64294 64297 6c7925da 64293->64297 64298 6c7925ca _strdup 64293->64298 64339 6c7965da 6 API calls ___raise_securityfailure 64294->64339 64295 6c792573 64295->64288 64300 6c792628 _errno 64297->64300 64302 6c7925fb _stat64i32 64297->64302 64298->64297 64299 6c7925b8 64299->64288 64301 6c79262f _errno 64300->64301 64304 6c792615 64300->64304 64301->64304 64303 6c79260e _errno 64302->64303 64302->64304 64303->64300 64303->64304 64305 6c79266d 64304->64305 64306 6c79264d _open 64304->64306 64308 6c792678 64305->64308 64309 6c7926b1 _read 64305->64309 64306->64305 64307 6c79268b _errno 64306->64307 64341 6c793280 43 API calls 64307->64341 64340 6c7933d0 18 API calls 64308->64340 64309->64307 64322 6c7926e1 64309->64322 64313 6c792680 64313->64307 64320 6c7927a1 64313->64320 64314 6c792695 _errno 64342 6c7965da 6 API calls ___raise_securityfailure 64314->64342 64316 6c7926e8 64343 6c793280 43 API calls 64316->64343 64317 6c7926ad 64317->64288 64319 6c7926f3 _errno 64344 6c7965da 6 API calls ___raise_securityfailure 64319->64344 64324 6c7927cb malloc 64320->64324 64322->64316 64330 6c79274a 64322->64330 64323 6c79270b 64323->64288 64326 6c7927fc 64324->64326 64327 6c792821 64324->64327 64346 6c793280 43 API calls 64326->64346 64348 6c7965da 6 API calls ___raise_securityfailure 64327->64348 64345 6c792870 calloc calloc _errno calloc _errno 64330->64345 64331 6c792805 _errno 64347 6c7965da 6 API calls ___raise_securityfailure 64331->64347 64332 6c79286a 64332->64288 64335 6c792765 64335->64307 64337 6c792770 memset 64335->64337 64336 6c79281d 64336->64288 64337->64320 64338->64295 64339->64299 64340->64313 64341->64314 64342->64317 64343->64319 64344->64323 64345->64335 64346->64331 64347->64336 64348->64332

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 6C721120 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159threadCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C72C290: PR_Lock.NSPR4(6C76E3F0,?,?,?,6C72114B,?,00000000,?,00000014), ref: 6C72C29A
                                                                                                                                                                                                          • Part of subcall function 6C72C290: PR_Unlock.NSPR4(6C76E3F0), ref: 6C72C2D3
                                                                                                                                                                                                        • GlobalMemoryStatus.KERNEL32(00000020), ref: 6C72115B
                                                                                                                                                                                                          • Part of subcall function 6C72C290: PR_Unlock.NSPR4(6C76E3F0,?,?,?,?,?,00000014), ref: 6C72C2FE
                                                                                                                                                                                                        • GetLogicalDrives.KERNELBASE ref: 6C721170
                                                                                                                                                                                                          • Part of subcall function 6C72C290: memcpy.MSVCR120(?,?,?,00000014), ref: 6C72C32B
                                                                                                                                                                                                          • Part of subcall function 6C72C290: PR_Unlock.NSPR4(6C76E3F0,?,?,?,00000014), ref: 6C72C33D
                                                                                                                                                                                                        • GetComputerNameA.KERNEL32(?,00000000), ref: 6C721197
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 6C7211B1
                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 6C7211CA
                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6C7211E1
                                                                                                                                                                                                        • GetVolumeInformationA.KERNELBASE(00000000,?,00000080,?,?,?,?,00000100), ref: 6C72122D
                                                                                                                                                                                                        • GetDiskFreeSpaceA.KERNELBASE(00000000,?,?,?,?), ref: 6C7212B2
                                                                                                                                                                                                          • Part of subcall function 6C72C290: memcpy.MSVCR120(?,?,00002000,?,00000014), ref: 6C72C35F
                                                                                                                                                                                                          • Part of subcall function 6C72C290: memcpy.MSVCR120(6C76E4C2,?,?,?,?,?,?,?,00000014), ref: 6C72C3AD
                                                                                                                                                                                                          • Part of subcall function 6C72C290: PR_Unlock.NSPR4(6C76E3F0,?,?,?,?,?,?,?,00000014), ref: 6C72C3BE
                                                                                                                                                                                                          • Part of subcall function 6C721020: QueryPerformanceCounter.KERNEL32(?), ref: 6C721038
                                                                                                                                                                                                          • Part of subcall function 6C721020: memcpy.MSVCR120(?,?,?), ref: 6C72106B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unlockmemcpy$Current$Process$ComputerCounterDiskDrivesFreeGlobalInformationLockLogicalMemoryNamePerformanceQuerySpaceStatusThreadVolume
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3012466809-3916222277
                                                                                                                                                                                                        • Opcode ID: 0764d0ca817c00b5fc36b8b0d2fdf5fe6233ba3874f1c8a9d5e106d5c9f89eb4
                                                                                                                                                                                                        • Instruction ID: 6673397293e79154f6bebfb45f8752bfcd568fcd852dddad7373b2efc21ff5f6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0764d0ca817c00b5fc36b8b0d2fdf5fe6233ba3874f1c8a9d5e106d5c9f89eb4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B5152B2504308ABE710EFA0C94DFDF77FCAB58709F544969F285D6640EB79D20887A2
                                                                                                                                                                                                        Function 6C792530 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 0 6c792530-6c792556 1 6c792558-6c792576 _errno call 6c7965da 0->1 2 6c792577-6c79259a memset calloc 0->2 4 6c7925bc-6c7925c8 2->4 5 6c79259c-6c7925bb _errno call 6c7965da 2->5 8 6c7925da-6c7925f1 4->8 9 6c7925ca-6c7925d4 _strdup 4->9 11 6c792628-6c79262d _errno 8->11 12 6c7925f3-6c7925f9 8->12 9->8 13 6c79262f-6c792631 _errno 11->13 14 6c792637 11->14 12->11 15 6c7925fb-6c79260c _stat64i32 12->15 13->14 16 6c79263f-6c79264b 14->16 17 6c79260e-6c792613 _errno 15->17 18 6c792615-6c79261d 15->18 19 6c79266d-6c792676 16->19 20 6c79264d-6c79266b _open 16->20 17->11 17->18 18->16 21 6c79261f-6c792624 18->21 23 6c792678-6c792685 call 6c7933d0 19->23 24 6c7926b1-6c7926b3 19->24 20->19 22 6c79268b-6c7926b0 _errno call 6c793280 _errno call 6c7965da 20->22 21->16 25 6c792626 21->25 23->22 34 6c7927a1-6c7927a3 23->34 28 6c7926bc 24->28 29 6c7926b5-6c7926ba 24->29 25->14 30 6c7926c1-6c7926df _read 28->30 29->28 29->30 30->22 33 6c7926e1-6c7926e6 30->33 36 6c7926e8-6c79270e call 6c793280 _errno call 6c7965da 33->36 37 6c79270f-6c79271e call 6c7935e0 33->37 38 6c7927af 34->38 39 6c7927a5-6c7927aa 34->39 37->36 49 6c792720-6c792726 37->49 44 6c7927b4-6c7927c9 call 6c793ba0 38->44 39->38 42 6c7927ac-6c7927ad 39->42 42->44 54 6c7927db 44->54 55 6c7927cb-6c7927d2 44->55 52 6c792728-6c79272b 49->52 53 6c79272d-6c792742 49->53 52->36 52->53 53->36 63 6c792744-6c792748 53->63 57 6c7927dd-6c7927fa malloc 54->57 55->54 56 6c7927d4-6c7927d9 55->56 56->57 59 6c7927fc-6c792820 call 6c793280 _errno call 6c7965da 57->59 60 6c792821-6c79286d call 6c7965da 57->60 63->36 64 6c79274a-6c79276a call 6c792870 63->64 64->22 71 6c792770-6c79279e memset 64->71 71->34
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _errno$callocmemset
                                                                                                                                                                                                        • String ID: %$sniglet^&
                                                                                                                                                                                                        • API String ID: 323951704-681435720
                                                                                                                                                                                                        • Opcode ID: 0fd1dbd3c24595ac51ccea9c4095e8850ef0fdd91ec2bc6f8764bb59b613aafa
                                                                                                                                                                                                        • Instruction ID: 5daddcc6a8132d285b25e258f743dadfaf12615ea9f21242afc71294f8378808
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fd1dbd3c24595ac51ccea9c4095e8850ef0fdd91ec2bc6f8764bb59b613aafa
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E291F5716057009FD710EF28EE49B9B77F4EF45328F400929E96AC7A61EB31E544CB92
                                                                                                                                                                                                        Function 6C721320 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 121 6c721320-6c721330 SystemFunction036 122 6c721332-6c721336 121->122 123 6c721337-6c721339 121->123
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SystemFunction036.ADVAPI32(?,?,6C72CD21,?,00000037,00000000,00000000,?,6C76E4C2), ref: 6C721328
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Function036System
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2600738214-0
                                                                                                                                                                                                        • Opcode ID: 62b71f725314f0b744f51868cd5a06b20346837c177e5350ae2bd78953442494
                                                                                                                                                                                                        • Instruction ID: b9bbd6057f07da3b732b37da31300c21e0f6b5a5f8c33d207e14068e2fe7d46a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62b71f725314f0b744f51868cd5a06b20346837c177e5350ae2bd78953442494
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12C04C30205201ABCF018E10C908A4ABFA2BB81389F508C68B08886431D736C851EB41

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 6C791A60 Relevance: 58.1, APIs: 23, Strings: 10, Instructions: 355memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1134 6c791a60-6c791aa6 NSSUTIL_ArgParseModuleSpec 1135 6c791aac-6c791ab6 1134->1135 1136 6c791eb2-6c791eb8 1134->1136 1137 6c791abc-6c791abf 1135->1137 1138 6c791e6f-6c791e75 1135->1138 1141 6c791ac0-6c791ac5 1137->1141 1139 6c791e80-6c791e86 1138->1139 1140 6c791e77-6c791e7d PORT_Free_Util 1138->1140 1142 6c791e88-6c791e8e PORT_Free_Util 1139->1142 1143 6c791e91-6c791e93 1139->1143 1140->1139 1141->1141 1144 6c791ac7-6c791ad6 1141->1144 1142->1143 1145 6c791e9e-6c791ea4 1143->1145 1146 6c791e95-6c791e9b PORT_Free_Util 1143->1146 1147 6c791ad8-6c791adb 1144->1147 1148 6c791af0-6c791af6 1144->1148 1149 6c791eaf-6c791eb1 1145->1149 1150 6c791ea6-6c791eac PORT_Free_Util 1145->1150 1146->1145 1151 6c791ae0-6c791ae5 1147->1151 1152 6c791af8-6c791afb 1148->1152 1153 6c791b0c-6c791b30 NSSUTIL_ArgGetParamValue NSSUTIL_ArgParseSlotInfo 1148->1153 1149->1136 1150->1149 1151->1151 1157 6c791ae7-6c791aec 1151->1157 1154 6c791b00-6c791b05 1152->1154 1155 6c791b3b-6c791b41 1153->1155 1156 6c791b32-6c791b38 PORT_Free_Util 1153->1156 1154->1154 1158 6c791b07-6c791b09 1154->1158 1159 6c791b4b-6c791b86 PORT_ZAlloc_Util 1155->1159 1160 6c791b43-6c791b45 1155->1160 1156->1155 1157->1148 1158->1153 1161 6c791e5b 1159->1161 1162 6c791b8c-6c791cd1 NSSUTIL_ArgHasFlag * 5 NSSUTIL_ArgReadLong * 2 NSSUTIL_ArgGetParamValue NSSUTIL_ArgParseCipherFlags 1159->1162 1160->1159 1160->1161 1163 6c791e5e-6c791e64 1161->1163 1164 6c791cdc-6c791d58 memcpy 1162->1164 1165 6c791cd3-6c791cd9 PORT_Free_Util 1162->1165 1163->1138 1166 6c791e66-6c791e6c PORT_Free_Util 1163->1166 1167 6c791d5a-6c791d74 memcpy 1164->1167 1168 6c791d77-6c791d8c 1164->1168 1165->1164 1166->1138 1167->1168 1169 6c791daa-6c791db0 1168->1169 1170 6c791d8e-6c791da7 memcpy 1168->1170 1171 6c791e57-6c791e59 1169->1171 1172 6c791db6-6c791dba 1169->1172 1170->1169 1171->1163 1172->1171 1173 6c791dc0-6c791dca 1172->1173 1174 6c791dd0-6c791e51 1173->1174 1174->1171 1174->1174
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NSSUTIL_ArgParseModuleSpec.NSSUTIL3(?,?,?,?,00000000,00000000,?,?), ref: 6C791A9C
                                                                                                                                                                                                        • NSSUTIL_ArgGetParamValue.NSSUTIL3(slotParams,?,00000000,?,?,00000000,?,?), ref: 6C791B15
                                                                                                                                                                                                        • NSSUTIL_ArgParseSlotInfo.NSSUTIL3(00000000,00000000,?,slotParams,?,00000000,?,?,00000000,?,?), ref: 6C791B24
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6C791B33
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000028,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6C791B71
                                                                                                                                                                                                        • NSSUTIL_ArgHasFlag.NSSUTIL3(flags,internal,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 6C791B9F
                                                                                                                                                                                                        • NSSUTIL_ArgHasFlag.NSSUTIL3(flags,FIPS,?,flags,internal,?,?,?,?,?,?,00000000,?,?,00000000), ref: 6C791BBA
                                                                                                                                                                                                        • NSSUTIL_ArgHasFlag.NSSUTIL3(flags,isModuleDB,?,flags,FIPS,?,flags,internal,?,?,?,?,?,?,00000000), ref: 6C791BD5
                                                                                                                                                                                                        • NSSUTIL_ArgHasFlag.NSSUTIL3(flags,isModuleDBOnly,?,flags,isModuleDB,?,flags,FIPS,?,flags,internal,?), ref: 6C791BF0
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6C791E78
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6C791E89
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,?), ref: 6C791E96
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,00000000,?,?,00000000,?,?), ref: 6C791EA7
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Flag$Parse$Alloc_InfoModuleParamSlotSpecValue
                                                                                                                                                                                                        • String ID: FIPS$cipherOrder$ciphers$critical$flags$internal$isModuleDB$isModuleDBOnly$slotParams$trustOrder
                                                                                                                                                                                                        • API String ID: 1384561460-1596463532
                                                                                                                                                                                                        • Opcode ID: dcc7174293e189ed9962373c6f4d4de175ddf2ce67b2249b041a63307624e9db
                                                                                                                                                                                                        • Instruction ID: 8fcc9af2e86e32a001d9212c2d77b4422238d4ffd4da9ef019ae640221a03c7c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dcc7174293e189ed9962373c6f4d4de175ddf2ce67b2249b041a63307624e9db
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06D1477110A3C19FC305CF68A95457AFFE5AF9A204F084A9DF8D587B12D324D728CBA2
                                                                                                                                                                                                        Function 6C7AAFA0 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 270COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_value_double.SQLITE3 ref: 6C7AAFD2
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000032,?,%!.15g), ref: 6C7AAFEB
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000032,?,%!.20e), ref: 6C7AB02B
                                                                                                                                                                                                        • sqlite3_result_text.SQLITE3(?,?,000000FF,000000FF), ref: 6C7AB041
                                                                                                                                                                                                        • sqlite3_value_blob.SQLITE3(00000000), ref: 6C7AB07D
                                                                                                                                                                                                        • sqlite3_value_bytes.SQLITE3(00000000,00000000), ref: 6C7AB086
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000001), ref: 6C7AB13A
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000), ref: 6C7AB14D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_snprintf$memcpysqlite3_freesqlite3_result_textsqlite3_value_blobsqlite3_value_bytessqlite3_value_double
                                                                                                                                                                                                        • String ID: %!.15g$%!.20e$NULL$string or blob too big
                                                                                                                                                                                                        • API String ID: 88571029-1779043326
                                                                                                                                                                                                        • Opcode ID: 1a7c13871f1ccd4905042a2b327551e387101dea6fc71ce0bbaa4ca70066ab78
                                                                                                                                                                                                        • Instruction ID: 4f8ab246431bf756a5c749f1f427059a02b9e94eb8c9551015262f4e5d418c23
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a7c13871f1ccd4905042a2b327551e387101dea6fc71ce0bbaa4ca70066ab78
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6812272A042055AD3104F68CD85BEB77E49F86358F544B7DF8958BBC2F726E40B83A2
                                                                                                                                                                                                        Function 6C74BDB0 Relevance: 22.9, APIs: 18, Instructions: 386COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: calloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2635317215-0
                                                                                                                                                                                                        • Opcode ID: 6131ab19748e270f19bde3bfc3f405ccbc3c1692c01103b96193e344de3e2d6d
                                                                                                                                                                                                        • Instruction ID: 4adc6d9c66cf9d1089d7ac1ea8cdef7c5d631c0aa98e68b7719ad4403fdd2ba6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6131ab19748e270f19bde3bfc3f405ccbc3c1692c01103b96193e344de3e2d6d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39D1F2729057209BD320DF258E44B9FBAE8AFC5B14F158A2DFD6497680D730ED088BD2
                                                                                                                                                                                                        Function 6C72CFA0 Relevance: 21.3, APIs: 14, Instructions: 266COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6C72CFE1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C72D00B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 3b322df01961c056154e8df012387239bca48cf9db2d3faacec47f91ba00f4a9
                                                                                                                                                                                                        • Instruction ID: 1463e023a40c107c95f0cb6d7139748dc0fc2241b4d629408b6163b6df118b45
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b322df01961c056154e8df012387239bca48cf9db2d3faacec47f91ba00f4a9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D581C5715083546BC710DF68CD88E9BBBECEFC9618F440A2DF595C7705EA25D908CBA2
                                                                                                                                                                                                        Function 6C7D1620 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 324COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free$memset
                                                                                                                                                                                                        • String ID: N$List of tree roots: $Main freelist: $Outstanding page count goes from %d to %d during this analysis$Page %d is never used$Pointer map page %d is referenced$d
                                                                                                                                                                                                        • API String ID: 2669552516-2293341685
                                                                                                                                                                                                        • Opcode ID: 45043a28dd9de7b330a41f984d997f4d23cb32657cc27c943f93f33d2bd13040
                                                                                                                                                                                                        • Instruction ID: a2b5dc39553254274fe4a14f910cd007fa654b004b9514db1082c122f36ff165
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45043a28dd9de7b330a41f984d997f4d23cb32657cc27c943f93f33d2bd13040
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4C137B1A083418FD710CF19C985B9BBBE2BF84328F06496DF8899B741D775E845CB92
                                                                                                                                                                                                        Function 6C740B90 Relevance: 18.3, APIs: 12, Instructions: 294COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004,?), ref: 6C740BFA
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C740C28
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: d4833a7071a8b8f08218a10b9ae670f06c969e456d90acab2d8293814e5bcb9b
                                                                                                                                                                                                        • Instruction ID: 626d7de355effbabe9a8fcbb74b0766120f9b747608a33edbb16ce6ea350fee8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4833a7071a8b8f08218a10b9ae670f06c969e456d90acab2d8293814e5bcb9b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FA12F715083518FC301DF28C985AAFBBE4EF99318F144A2CE4D983702DB36A919CB93
                                                                                                                                                                                                        Function 6C72E490 Relevance: 12.5, APIs: 6, Strings: 2, Instructions: 466COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C72E5E4
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,00000000,?), ref: 6C72E5FC
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000010,?), ref: 6C72E6D8
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000010,?,?,00000010,?), ref: 6C72E6F0
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?), ref: 6C72E783
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C72E7EB
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpy$memset
                                                                                                                                                                                                        • String ID: \\\\$j
                                                                                                                                                                                                        • API String ID: 438689982-2409579979
                                                                                                                                                                                                        • Opcode ID: 692f03227284d08de303d740e6fee99488a6300c8bdf645078a671a87b2798cd
                                                                                                                                                                                                        • Instruction ID: db7d145d1bf19d4bc27985e1480e2124ddb1191c0fe363ee57d9b67216f6cd49
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 692f03227284d08de303d740e6fee99488a6300c8bdf645078a671a87b2798cd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D0268726083899FD760CF68C980A9BBBE5BF89304F044A2DF5D9C7311D635E909CB92
                                                                                                                                                                                                        Function 6C794710 Relevance: 7.7, APIs: 5, Instructions: 240COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • _lseek.MSVCR120 ref: 6C79489A
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7948BB
                                                                                                                                                                                                        • _write.MSVCR120 ref: 6C7948E7
                                                                                                                                                                                                        • _write.MSVCR120 ref: 6C79491B
                                                                                                                                                                                                        • _errno.MSVCR120 ref: 6C794931
                                                                                                                                                                                                          • Part of subcall function 6C794D90: getenv.MSVCR120 ref: 6C794DBD
                                                                                                                                                                                                          • Part of subcall function 6C794D90: getenv.MSVCR120 ref: 6C794DCD
                                                                                                                                                                                                          • Part of subcall function 6C794D90: getenv.MSVCR120 ref: 6C794DDD
                                                                                                                                                                                                          • Part of subcall function 6C794D90: free.MSVCR120 ref: 6C794E93
                                                                                                                                                                                                          • Part of subcall function 6C794D90: _strdup.MSVCR120(?,?,?), ref: 6C794EA1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: getenv$_write$_errno_lseek_strdupfreememset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 224327209-0
                                                                                                                                                                                                        • Opcode ID: 53f9720b8177bca0ec035790e3213249743b4a88f007cd750d4413d8d1d83ca1
                                                                                                                                                                                                        • Instruction ID: a6c3bd5d84b5637a5ec2b792833e14a3500a5225bc688791a3517db042de1511
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53f9720b8177bca0ec035790e3213249743b4a88f007cd750d4413d8d1d83ca1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6814271A082658BD324CF2CEA4079AB7A0BF45318F044B79E974DBB81D334E959C7E6
                                                                                                                                                                                                        Function 6C73B850 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,00000000,?,?), ref: 6C73B96F
                                                                                                                                                                                                          • Part of subcall function 6C739E90: SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000000), ref: 6C739EEF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?), ref: 6C73B992
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,00000000,?,?), ref: 6C73B9B5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,00000000,?,?), ref: 6C73B9D8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Item_Zfree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3373947022-0
                                                                                                                                                                                                        • Opcode ID: 507308d789b8cba7d02a2ebd47dacb66ad92da3a937780e3390b978cca74fb9e
                                                                                                                                                                                                        • Instruction ID: ac779e3705aca32cb22ca786d583e4e0b221832d04f0cebd225ff9fb304f4484
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 507308d789b8cba7d02a2ebd47dacb66ad92da3a937780e3390b978cca74fb9e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D351E4B150C3604BC341AB3D99456AFFFE4AFC9225F941A2EE5E9C2792DB21C5088793
                                                                                                                                                                                                        Function 6C72A570 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 381COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C72A581
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C72A7A6
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-3916222277
                                                                                                                                                                                                        • Opcode ID: 37839b6cb5521bee7fc8e408195b335967dc8fe58a27eeee72c14204a449ef2e
                                                                                                                                                                                                        • Instruction ID: af4c543ce7e154a875a91082e05f8b4543593e1b7f101c0eaed9403c4ddd315f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37839b6cb5521bee7fc8e408195b335967dc8fe58a27eeee72c14204a449ef2e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2E1D57540D3908FC316CF2981A007ABFF1AFDA614F99099EF8C617742C275AD0ADB66
                                                                                                                                                                                                        Function 6C7AF6E0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 215COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?,C78346D8,6C80089D,?,00000000,?,?,6C7D0747,C78346D8,00000000,00000001,00000000), ref: 6C7AF703
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free
                                                                                                                                                                                                        • String ID: cd0b37c52658bfdf992b1e3dc467bae1835a94ae$database corruption at line %d of [%.10s]
                                                                                                                                                                                                        • API String ID: 2313487548-4214876069
                                                                                                                                                                                                        • Opcode ID: 1e8a6df671c14c3b1fd7dc6f9329ddeadc2d96b94ef67c72e60fb6c41512e1f3
                                                                                                                                                                                                        • Instruction ID: 717d1fae6ae23e6d094cb2e2eada1cfd25e91251875b1208de746b72b422f3f3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e8a6df671c14c3b1fd7dc6f9329ddeadc2d96b94ef67c72e60fb6c41512e1f3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8161E272A042218FC724CF6EC98468AB7E1AB88318F498779EC599BB01D735D917CBC1
                                                                                                                                                                                                        Function 6C7D3480 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000018,?,sqlite_stat%d,00000001), ref: 6C7D34D2
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_snprintf
                                                                                                                                                                                                        • String ID: DELETE FROM %Q.%s WHERE %s=%Q$sqlite_stat%d
                                                                                                                                                                                                        • API String ID: 949980604-3667113883
                                                                                                                                                                                                        • Opcode ID: 0ddbdcf9b0a6031153bdbd881c007d49dd37113459a8f858c8373965e4d571ed
                                                                                                                                                                                                        • Instruction ID: ca98fbb8f6fc3494410a9784f0f8344b3dba97bd80e3b36c070ad0a0f14f689b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ddbdcf9b0a6031153bdbd881c007d49dd37113459a8f858c8373965e4d571ed
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0051A0B56093558FC304CF29C690A6BBBF1BF89708F16495DF8968B702D731E905CB92
                                                                                                                                                                                                        Function 6C7AB550 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 57e933c31db69466806b924523d0bbedb6f0bd012a8bbfbe49f844496ad6b0a5
                                                                                                                                                                                                        • Instruction ID: 095c88c227f04cd7a9c7ff25e86695afca6e83cf47f91df27bc2d29b2f994d90
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 57e933c31db69466806b924523d0bbedb6f0bd012a8bbfbe49f844496ad6b0a5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A231E5711017099FE7208F95DA48757B7E4FF0930CF104A2DE8A692E50E735F52ACB86
                                                                                                                                                                                                        Function 6C7AACF0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ec5c703fa0b6500aae84852d7bb2a8e87432bc2263d23cc18d4bf4be0d45dfc0
                                                                                                                                                                                                        • Instruction ID: 257394381ef8574fb4c4645cc35b297c602060fd1b6b0c47335514e59783645b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec5c703fa0b6500aae84852d7bb2a8e87432bc2263d23cc18d4bf4be0d45dfc0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EAF05EB27001129BCB10DA6DDD85D8777ACEF9266AB050538F904CB721D725E819CBB1
                                                                                                                                                                                                        Function 6C7AAC90 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e15d8df5fc2af6bebedac9b1f540dad2081c4e0471bf698f74376ef8da56b0e9
                                                                                                                                                                                                        • Instruction ID: ae595d958df0bafaac6dfcf62ac2cefce3da41969424c05b32120a92f1733517
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e15d8df5fc2af6bebedac9b1f540dad2081c4e0471bf698f74376ef8da56b0e9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87F0B4316011069BCB10DFA9ED88D87B7E8EF86769B050579E544CB611E731E829C7E1
                                                                                                                                                                                                        Function 6C7AAE10 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c4e1de6082a740fc33b90f3ad2f67a19b7385a2a2fa6cda60ae1ca001237131b
                                                                                                                                                                                                        • Instruction ID: 138d5f597170ace4956f609362c582818c9662679d2278859b2742696655a88b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4e1de6082a740fc33b90f3ad2f67a19b7385a2a2fa6cda60ae1ca001237131b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2F030716041129BCB10CEA9DD85D4777ACAF8566AB050528F514C7710D725E425CBA1
                                                                                                                                                                                                        Function 6C7AB510 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: fdef901c14d0e88f43fd6a9fd2a2b4b0d48ce48a0a5a2f2957fecefeb9efaa29
                                                                                                                                                                                                        • Instruction ID: ea168151459140b7dd45edf8b5299edf9634800cecba8189bde337c36370d963
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fdef901c14d0e88f43fd6a9fd2a2b4b0d48ce48a0a5a2f2957fecefeb9efaa29
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BBE026B540C2013EE70D0620ED1A7B63B44AB8132CF58077CF875C17A0F335991BC212
                                                                                                                                                                                                        Function 6C7A2630 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 887a73681331384d64d51ab44d32ffd6893e248928a4d7f63ed22efc3c1ce64e
                                                                                                                                                                                                        • Instruction ID: 6ca23eab3f173d30ec29ffce3b1208bfc145a3cbfcf01dbff18757c4aa806238
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 887a73681331384d64d51ab44d32ffd6893e248928a4d7f63ed22efc3c1ce64e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70F0F874606306DBE308EF46C148756BAA0BB45708F6086BD94688AEA2D375D883CF42
                                                                                                                                                                                                        Function 6C7AAE70 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6845f4d04b6e94e5019bb7513612f1368dd84f3701b90e5e5441a13cbe7c182d
                                                                                                                                                                                                        • Instruction ID: 38c8460d71d843b6d24d74eb224be1e4357760d4a7640f1317dc4310993ac26f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6845f4d04b6e94e5019bb7513612f1368dd84f3701b90e5e5441a13cbe7c182d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BE0C2317043114B8B329A55AC05C9BB7B8AFC26B9B09093CF914C7700C325E817CBE1
                                                                                                                                                                                                        Function 6C7AB4E0 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: aa5ab938d5380f0e19b123788a234152813bda90118842ff17bbd94ebe902923
                                                                                                                                                                                                        • Instruction ID: 6376da0a8d6b104c982738ea83d4b8ed74c6340d7313e7c313bb98b96159a8d6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa5ab938d5380f0e19b123788a234152813bda90118842ff17bbd94ebe902923
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93D09230B056059EDB00CE54C68495E33E6EB80709B1189A8F808CBA25F776FC82E602
                                                                                                                                                                                                        Function 6C7AAC40 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: cf8be3fab7508885d71dee23126718b7dbb717b17ca635f0e4661d3b583c2647
                                                                                                                                                                                                        • Instruction ID: 919abc0ba0d46f89fae76f9e341bef3ecf98457050611473cc8d1a8ab814d767
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf8be3fab7508885d71dee23126718b7dbb717b17ca635f0e4661d3b583c2647
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2A0223880020023E8023E008C0EB083800AFA03C8FC00080E208302F3E222022C00C2
                                                                                                                                                                                                        Function 6C7AAF10 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c464e8e33df13efbd38544f0a6610b7b9bd9c3328b4a05859c3d7048d599ecc0
                                                                                                                                                                                                        • Instruction ID: c40c8f300e123ba90ab3552f81cffeb549e4bd22d271601ff3c6f6ad02ca89e4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c464e8e33df13efbd38544f0a6610b7b9bd9c3328b4a05859c3d7048d599ecc0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6A0223880020023EC023E008C0EB883802AFA03C8FC00080F208302F3E2A302AC00C2
                                                                                                                                                                                                        Function 6C7AB440 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 05ac0fb04e72a984ba480ade27d87d9176f56215ecda540be54b8ffb65042723
                                                                                                                                                                                                        • Instruction ID: 331b0e238c79f0615b42c985efc793464e9359a1fdd1bfc4ff28087984651e8f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05ac0fb04e72a984ba480ade27d87d9176f56215ecda540be54b8ffb65042723
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2B012303219008ADF00CE20864053733D85B80E01B0044A47438C5000F734DC11E101
                                                                                                                                                                                                        Function 6C78A050 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0c7f4aef3389ea97a023f3317348583f627b7f476541961be05c74ecaaf266cf
                                                                                                                                                                                                        • Instruction ID: 47df8edec9e92eb3802e988e7b747f6a1e1d801c1ceb019bcf2b2578615067de
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c7f4aef3389ea97a023f3317348583f627b7f476541961be05c74ecaaf266cf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0DB002B46063029FAB40CF1CC2C25457BF0A799691F105469B99CC7314D73198459B01
                                                                                                                                                                                                        Function 6C7B8560 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 260COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1345 6c7b8560-6c7b8579 1346 6c7b857f 1345->1346 1347 6c7b87f1-6c7b87f6 1345->1347 1346->1347 1350 6c7b878f-6c7b87b1 sqlite3_snprintf 1346->1350 1351 6c7b868f-6c7b86b2 sqlite3_snprintf 1346->1351 1352 6c7b87cc-6c7b87e5 sqlite3_snprintf 1346->1352 1353 6c7b86b3-6c7b86b9 1346->1353 1354 6c7b87b2-6c7b87cb sqlite3_snprintf 1346->1354 1355 6c7b86f2-6c7b8716 sqlite3_snprintf 1346->1355 1356 6c7b8670-6c7b868e sqlite3_snprintf 1346->1356 1357 6c7b8717-6c7b8721 1346->1357 1358 6c7b87e6-6c7b87f0 1346->1358 1359 6c7b8586-6c7b85bb sqlite3_snprintf call 6c7ebec0 1346->1359 1360 6c7b86d5-6c7b86f1 sqlite3_snprintf 1346->1360 1348 6c7b87f8-6c7b87fa 1347->1348 1349 6c7b87fc-6c7b8803 1347->1349 1348->1349 1362 6c7b86bb-6c7b86d4 sqlite3_snprintf 1353->1362 1363 6c7b872e-6c7b8731 1357->1363 1364 6c7b8723-6c7b872d 1357->1364 1368 6c7b865e-6c7b866f 1359->1368 1369 6c7b85c1-6c7b85cf 1359->1369 1366 6c7b873b-6c7b873e 1363->1366 1367 6c7b8733-6c7b8739 1363->1367 1370 6c7b8763-6c7b8766 1366->1370 1371 6c7b8740-6c7b8762 sqlite3_snprintf 1366->1371 1367->1362 1372 6c7b85d0-6c7b85d4 1369->1372 1373 6c7b8768-6c7b8781 sqlite3_snprintf 1370->1373 1374 6c7b8782-6c7b878e 1370->1374 1375 6c7b85da 1372->1375 1376 6c7b85d6-6c7b85d8 1372->1376 1377 6c7b85df-6c7b85e3 1375->1377 1376->1377 1378 6c7b85fe-6c7b8605 1377->1378 1379 6c7b85e5-6c7b85e8 1377->1379 1382 6c7b8657 1378->1382 1383 6c7b8607-6c7b8613 1378->1383 1380 6c7b85ea 1379->1380 1381 6c7b85f6-6c7b85f8 1379->1381 1384 6c7b85f0-6c7b85f4 1380->1384 1381->1378 1382->1368 1385 6c7b861a-6c7b8643 memcpy 1383->1385 1386 6c7b8615-6c7b8619 1383->1386 1384->1381 1384->1384 1385->1372 1387 6c7b8645-6c7b8656 1385->1387 1386->1385
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,keyinfo(%d,?,?,00000602,?,?,?,?,?,?,?,?,00000020), ref: 6C7B859F
                                                                                                                                                                                                        • memcpy.MSVCR120(?,nil,?,?,?,?,?,00000602,?,?,?,?,?,?,?,?), ref: 6C7B8623
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,collseq(%.20s),?), ref: 6C7B867F
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,%s(%d),?,?), ref: 6C7B86A3
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,%lld,?,?), ref: 6C7B86C5
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,6C80D13C,?,?,?,?,?,?,?,?,?,?,00000602), ref: 6C7B86E2
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,%.16g), ref: 6C7B8707
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,vtab:%p:%p,?,?), ref: 6C7B87A2
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,intarray,?,?,?,?,00000602,?,?,?,?,?,?,?,?), ref: 6C7B87BC
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,program,?,?,?,00000020,?,?,?,00000000,?,6C7EBB96), ref: 6C7B87D6
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_snprintf$memcpy
                                                                                                                                                                                                        • String ID: %.16g$%lld$%s(%d)$(blob)$NULL$collseq(%.20s)$intarray$keyinfo(%d$nil$program$vtab:%p:%p
                                                                                                                                                                                                        • API String ID: 3845099228-3424991891
                                                                                                                                                                                                        • Opcode ID: 19146c57bb52e08adb79e4c4662ac4430247a0a4ef44bb409ca085aa3689be74
                                                                                                                                                                                                        • Instruction ID: 704910eb2f4094d068a0c0145f66dea7f9d3771d1e68848bdc73494c7d3eb40a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 19146c57bb52e08adb79e4c4662ac4430247a0a4ef44bb409ca085aa3689be74
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 917116367041419FCB009F59ED84A5AB7A1FBC421CF580ABEF8489B712E33AD91ED761
                                                                                                                                                                                                        Function 6C7914C0 Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 439COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1388 6c7914c0-6c79151a PORT_NewArena_Util 1389 6c79151c-6c791520 1388->1389 1390 6c791521-6c79152c 1388->1390 1391 6c791a3a-6c791a44 PORT_SetError_Util 1390->1391 1392 6c791532-6c791552 1390->1392 1395 6c791a47-6c791a5e PORT_FreeArena_Util 1391->1395 1393 6c791554 1392->1393 1394 6c791556-6c791558 1392->1394 1393->1394 1396 6c79155a-6c79156f PORT_ArenaStrdup_Util 1394->1396 1397 6c79158c-6c79158f 1394->1397 1396->1395 1398 6c791575-6c791578 1396->1398 1399 6c79160a 1397->1399 1400 6c791591-6c791595 1397->1400 1398->1399 1401 6c79157e-6c791582 1398->1401 1403 6c79160c-6c791612 1399->1403 1400->1399 1402 6c791597-6c79159b 1400->1402 1401->1397 1404 6c791584 1401->1404 1402->1391 1405 6c7915a1-6c791608 1402->1405 1406 6c791614-6c791616 1403->1406 1407 6c791626-6c7916a3 1403->1407 1404->1397 1405->1403 1406->1407 1409 6c791618-6c791622 1406->1409 1407->1391 1408 6c7916a9-6c7916d1 1407->1408 1408->1391 1410 6c7916d7-6c7916eb PORT_ArenaAlloc_Util 1408->1410 1409->1407 1410->1395 1411 6c7916f1-6c791726 memcpy 1410->1411 1411->1391 1412 6c79172c-6c79174e 1411->1412 1413 6c791750-6c79175e 1412->1413 1414 6c7917a2-6c7917ac 1412->1414 1413->1391 1415 6c791764-6c79177a PORT_ArenaAlloc_Util 1413->1415 1416 6c791840-6c791849 1414->1416 1417 6c7917b2-6c7917b6 1414->1417 1415->1395 1420 6c791780-6c79179e memcpy 1415->1420 1418 6c79184b-6c791850 1416->1418 1419 6c791856-6c791861 1416->1419 1417->1416 1421 6c7917bc-6c7917c4 1417->1421 1418->1391 1418->1419 1419->1391 1422 6c791867-6c791884 1419->1422 1420->1414 1421->1391 1423 6c7917ca-6c7917e8 1421->1423 1424 6c7918a3-6c7918af 1422->1424 1425 6c791886-6c79189d 1422->1425 1426 6c791838-6c79183e 1423->1426 1427 6c7917ea-6c7917f4 1423->1427 1424->1391 1428 6c7918b5-6c7918d1 PORT_ArenaZAlloc_Util 1424->1428 1425->1391 1425->1424 1426->1416 1427->1391 1429 6c7917fa-6c791812 PORT_ArenaAlloc_Util 1427->1429 1428->1395 1430 6c7918d7-6c7918db 1428->1430 1429->1395 1431 6c791818-6c791834 memcpy 1429->1431 1432 6c7918e1 1430->1432 1433 6c7919c6-6c791a2d NSSUTIL_MkNSSString call 6c791ef0 NSSUTIL_MkModuleSpec PR_smprintf_free PORT_FreeArena_Util 1430->1433 1431->1426 1435 6c7918e4-6c791951 1432->1435 1437 6c79197b-6c79197d 1435->1437 1438 6c791953-6c791958 1435->1438 1440 6c79197f-6c791984 1437->1440 1441 6c79198e-6c7919aa NSSUTIL_MkSlotString 1437->1441 1438->1437 1439 6c79195a-6c79195d 1438->1439 1439->1437 1444 6c79195f-6c791977 NSSUTIL_ArgParseSlotFlags 1439->1444 1440->1441 1445 6c791986 1440->1445 1442 6c791a2e-6c791a38 call 6c791ef0 1441->1442 1443 6c7919b0-6c7919b8 1441->1443 1442->1395 1443->1435 1446 6c7919be-6c7919c2 1443->1446 1444->1437 1445->1441 1446->1433
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(?,?,?,?,?,00000800), ref: 6C79150A
                                                                                                                                                                                                        • PORT_ArenaStrdup_Util.NSSUTIL3(00000000,?,00000004,00000000,00000000,0000000A), ref: 6C79155F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • d, xrefs: 6C791986
                                                                                                                                                                                                        • slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512], xrefs: 6C79195F
                                                                                                                                                                                                        • slotFlags, xrefs: 6C791964
                                                                                                                                                                                                        • d, xrefs: 6C79161A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$ArenaArena_Strdup_
                                                                                                                                                                                                        • String ID: d$d$slotFlags$slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
                                                                                                                                                                                                        • API String ID: 443542217-3984357275
                                                                                                                                                                                                        • Opcode ID: 690cd3fec1452c28b9bec1850c0ee2dd77b05704060c3250ccd229542f2c7226
                                                                                                                                                                                                        • Instruction ID: a1e41f3d4ddd8768ca6aec6042d149dac67f735b8934dcd27e457c1101385ca6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 690cd3fec1452c28b9bec1850c0ee2dd77b05704060c3250ccd229542f2c7226
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3F122719083A14FD3218F29999462BFFE5EF85345F04492DF4E6C3A81E739DA18CB62
                                                                                                                                                                                                        Function 6C781670 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 146fileCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_smprintf.NSPR4(%s/%s,?,?,?,?,?,?,?,6C7813C5,?,?,?,?,?,?,?), ref: 6C7816C7
                                                                                                                                                                                                        • PR_Access.NSPR4(?,00000001,?,?,?), ref: 6C7816DF
                                                                                                                                                                                                        • PR_MkDir.NSPR4(?,?), ref: 6C7816FE
                                                                                                                                                                                                        • PR_OpenFile.NSPR4(00000000,0000002A,?), ref: 6C781713
                                                                                                                                                                                                        • PR_GetError.NSPR4 ref: 6C781724
                                                                                                                                                                                                        • PR_Delete.NSPR4(00000000), ref: 6C78172D
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000), ref: 6C781734
                                                                                                                                                                                                        • PR_SetError.NSPR4(00000000,00000000), ref: 6C781740
                                                                                                                                                                                                        • PR_Write.NSPR4(00000000,?,00000026), ref: 6C781758
                                                                                                                                                                                                        • PR_GetError.NSPR4 ref: 6C781760
                                                                                                                                                                                                        • PR_Close.NSPR4(?), ref: 6C78176E
                                                                                                                                                                                                        • PR_Delete.NSPR4(00000000), ref: 6C781781
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000), ref: 6C781788
                                                                                                                                                                                                        • PR_SetError.NSPR4(?,00000000), ref: 6C781794
                                                                                                                                                                                                        • PR_Delete.NSPR4(00000000), ref: 6C7817A5
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000), ref: 6C7817AC
                                                                                                                                                                                                        • PR_SetError.NSPR4(00000000,00000000), ref: 6C7817B7
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000), ref: 6C7817C6
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE012,00000000,?,?,?,?,?,6C7813C5,?,?,?,?,?,?,?,?), ref: 6C7817DE
                                                                                                                                                                                                        • PR_SetError.NSPR4(00000000,00000000,?,?), ref: 6C7817E6
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error$R_smprintf_free$Delete$AccessCloseFileOpenR_smprintfWrite
                                                                                                                                                                                                        • String ID: %s/%s
                                                                                                                                                                                                        • API String ID: 462712420-2758257063
                                                                                                                                                                                                        • Opcode ID: d0f6bfebd6b82b39c9df594910891fa47b3988ff765dea574f21ab955b8207b0
                                                                                                                                                                                                        • Instruction ID: 23316b3103911ddfa7211666d7419bfb2984e8cf4b014146978584d3f0ab973f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0f6bfebd6b82b39c9df594910891fa47b3988ff765dea574f21ab955b8207b0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC4128727022006BDF001F799D8EA56B7B8EF42337F140639FA15D2980DB21E51587A5
                                                                                                                                                                                                        Function 6C7836A0 Relevance: 36.3, APIs: 24, Instructions: 275memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1466 6c7836a0-6c7836b3 1467 6c7836b9-6c7836bd 1466->1467 1468 6c7839da-6c7839e2 1466->1468 1467->1468 1469 6c7836c3-6c7836e6 PORT_NewArena_Util * 2 1467->1469 1470 6c7836ec-6c7836ee 1469->1470 1471 6c7839b4-6c7839ba 1469->1471 1472 6c7839a9-6c7839b1 PORT_FreeArena_Util 1470->1472 1473 6c7836f4-6c783711 PORT_ArenaZAlloc_Util * 2 1470->1473 1474 6c7839bc-6c7839c4 SECITEM_ZfreeItem_Util 1471->1474 1475 6c7839c7-6c7839c9 1471->1475 1472->1471 1476 6c7839a4-6c7839a8 1473->1476 1477 6c783717-6c783719 1473->1477 1474->1475 1478 6c7839cb-6c7839cd 1475->1478 1479 6c7839e3-6c7839eb 1475->1479 1476->1472 1477->1476 1480 6c78371f-6c78373a call 6c78a750 1477->1480 1478->1468 1481 6c7839cf-6c7839d7 PORT_FreeArena_Util 1478->1481 1480->1476 1484 6c783740-6c783746 1480->1484 1481->1468 1484->1476 1485 6c78374c-6c783763 SEC_QuickDERDecodeItem_Util 1484->1485 1486 6c783769-6c78377d SECOID_GetAlgorithmTag_Util 1485->1486 1487 6c78398b-6c783995 PORT_GetError_Util 1485->1487 1489 6c783832-6c783835 1486->1489 1490 6c783783-6c78378a 1486->1490 1487->1476 1488 6c783997-6c7839a1 PORT_SetError_Util 1487->1488 1488->1476 1489->1476 1490->1489 1491 6c78383a-6c78385b call 6c78bf50 SECITEM_CopyItem_Util 1490->1491 1492 6c7838c0-6c7838e1 call 6c78bf20 SECITEM_CopyItem_Util 1490->1492 1493 6c783791-6c7837b2 call 6c78c000 SECITEM_CopyItem_Util 1490->1493 1494 6c783902-6c783923 call 6c78bf80 SECITEM_CopyItem_Util 1490->1494 1491->1476 1506 6c783861-6c783879 SEC_QuickDERDecodeItem_Util 1491->1506 1492->1476 1504 6c7838e7-6c7838fd SEC_QuickDERDecodeItem_Util 1492->1504 1493->1476 1503 6c7837b8-6c7837d0 SEC_QuickDERDecodeItem_Util 1493->1503 1494->1476 1505 6c783925-6c78393d SEC_QuickDERDecodeItem_Util 1494->1505 1503->1476 1507 6c7837d6-6c7837ee SEC_QuickDERDecodeItem_Util 1503->1507 1504->1476 1505->1476 1508 6c78393f-6c78395d call 6c78bfc0 SECITEM_CopyItem_Util 1505->1508 1506->1476 1509 6c78387f-6c78389c call 6c78bfe0 SECITEM_CopyItem_Util 1506->1509 1507->1476 1510 6c7837f4-6c7837f8 1507->1510 1508->1476 1519 6c78395f-6c783974 call 6c78bc70 1508->1519 1509->1476 1517 6c7838a2-6c7838bb SEC_QuickDERDecodeItem_Util 1509->1517 1514 6c7837fa-6c783800 1510->1514 1515 6c783825-6c78382f PORT_SetError_Util 1510->1515 1514->1515 1518 6c783802-6c783806 1514->1518 1515->1489 1517->1476 1518->1515 1520 6c783808-6c78380c 1518->1520 1519->1476 1524 6c783976-6c78397e 1519->1524 1520->1515 1522 6c78380e-6c783814 1520->1522 1522->1515 1525 6c783816-6c783820 1522->1525 1524->1476 1526 6c783980-6c783989 1524->1526 1525->1476 1526->1476
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,?,?,?,?,?,6C78246B,00000018,?), ref: 6C7836C8
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000800,00000000,00000000,?,?,?,?,?,?,6C78246B,00000018,?), ref: 6C7836D6
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(?,00000038,?,00000000,?,?,?,?,?,?,6C78246B,00000018,?), ref: 6C7836F8
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000000B0,?,00000038,?,00000000,?,?,?,?,?,?,6C78246B,00000018,?), ref: 6C783705
                                                                                                                                                                                                          • Part of subcall function 6C78A750: PORT_SetError_Util.NSSUTIL3(FFFFE001,6C783733,?,?,?,?,?,?,?,00000000), ref: 6C78A75E
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(?,00000000,6C797880,?,?,?,?,?,?,?,?,00000000), ref: 6C783757
                                                                                                                                                                                                        • SECOID_GetAlgorithmTag_Util.NSSUTIL3(00000010,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78376D
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6C7837A8
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6C7975F0,?), ref: 6C7837C4
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6C7976A0,?), ref: 6C7837E2
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6C783851
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6C797750,?), ref: 6C78386D
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,6C78246B,00000008), ref: 6C783892
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000008,6C7975A0,?), ref: 6C7838B1
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6C7838D7
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6C797790,?), ref: 6C7838F3
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,00000028,00000000), ref: 6C783919
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,00000000,6C797820,?), ref: 6C783931
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,00000070,6C78246B,00000008), ref: 6C783951
                                                                                                                                                                                                        • PORT_GetError_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78398B
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00F,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78399C
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(?,00000001,00000000,?,?,?,?,?,?,6C78246B,00000018,?), ref: 6C7839AC
                                                                                                                                                                                                        • SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000001,00000000,?,?,?,?,?,?,6C78246B,00000018,?), ref: 6C7839BF
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,00000000,?,?,?,?,?,?,6C78246B,00000018,?), ref: 6C7839D2
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Item_$DecodeQuick$Copy$Arena_$Error_$Alloc_ArenaFree$AlgorithmTag_Zfree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1576164735-0
                                                                                                                                                                                                        • Opcode ID: 5b12909eef11f6823fdc8fb580fda4f7b9d3a0547b6f3fddb60eecf0c43431bd
                                                                                                                                                                                                        • Instruction ID: 54e8dbafc416ef8a1cc4c62a567bf1a30f2cb5b82aa17d339f0fdb71b9c59fa3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b12909eef11f6823fdc8fb580fda4f7b9d3a0547b6f3fddb60eecf0c43431bd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C781D9714063046BD710DA6A9E48EE7B6EC9F4425CF440B39FAB9C3B51F734D60987A2
                                                                                                                                                                                                        Function 6C7362C0 Relevance: 31.9, APIs: 21, Instructions: 424memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1954 6c7362c0-6c7362df 1955 6c736780-6c736795 PORT_SetError_Util 1954->1955 1956 6c7362e5-6c7362eb 1954->1956 1956->1955 1957 6c7362f1-6c736307 PORT_NewArena_Util 1956->1957 1958 6c736320-6c736330 PORT_ArenaZAlloc_Util 1957->1958 1959 6c736309-6c73631f PORT_SetError_Util 1957->1959 1960 6c736352-6c736380 call 6c749880 1958->1960 1961 6c736332-6c736351 PORT_SetError_Util PORT_FreeArena_Util 1958->1961 1964 6c736646-6c73668b call 6c748ed0 * 6 1960->1964 1965 6c736386-6c736397 call 6c749880 1960->1965 1991 6c736697-6c73669d 1964->1991 1992 6c73668d-6c736694 PORT_ZFree_Util 1964->1992 1965->1964 1970 6c73639d-6c7363ae call 6c749880 1965->1970 1970->1964 1976 6c7363b4-6c7363c5 call 6c749880 1970->1976 1976->1964 1982 6c7363cb-6c7363dc call 6c749880 1976->1982 1982->1964 1988 6c7363e2-6c7363f3 call 6c749880 1982->1988 1988->1964 1996 6c7363f9-6c736411 PORT_Alloc_Util call 6c72c200 1988->1996 1994 6c7366a9-6c7366ab 1991->1994 1995 6c73669f-6c7366a6 PORT_ZFree_Util 1991->1995 1992->1991 1997 6c7366b1-6c7366b4 1994->1997 1998 6c736764-6c736766 1994->1998 1995->1994 1996->1964 2007 6c736417-6c736436 call 6c749f60 1996->2007 2000 6c7366ba-6c7366bd 1997->2000 2001 6c73673c-6c736763 PORT_SetError_Util PORT_FreeArena_Util 1997->2001 2002 6c736776-6c73677f 1998->2002 2003 6c736768-6c736773 PORT_FreeArena_Util 1998->2003 2005 6c736714-6c73673b PORT_SetError_Util PORT_FreeArena_Util 2000->2005 2006 6c7366bf-6c7366c2 2000->2006 2003->2002 2008 6c7366c4-6c7366eb PORT_SetError_Util PORT_FreeArena_Util 2006->2008 2009 6c7366ec-6c736713 PORT_SetError_Util PORT_FreeArena_Util 2006->2009 2007->1964 2012 6c73643c-6c73644f 2007->2012 2013 6c736450 call 6c746480 2012->2013 2014 6c736455-6c73645c 2013->2014 2014->1964 2015 6c736462-6c73647a call 6c74a5d0 2014->2015 2015->1964 2018 6c736480-6c736496 call 6c7493b0 2015->2018 2018->1964 2021 6c73649c-6c7364b4 PORT_Alloc_Util call 6c72c200 2018->2021 2021->1964 2024 6c7364ba-6c7364d1 call 6c749f60 2021->2024 2024->1964 2027 6c7364d7-6c7364eb call 6c748f20 2024->2027 2030 6c736510-6c736521 call 6c748f70 2027->2030 2031 6c7364ed-6c736508 call 6c74a510 2027->2031 2036 6c736523-6c736537 call 6c748f20 2030->2036 2037 6c736539-6c736545 call 6c74a0a0 2030->2037 2031->1964 2038 6c73650e 2031->2038 2036->2037 2043 6c736548-6c736568 call 6c746b50 2036->2043 2037->2043 2038->2030 2043->1964 2046 6c73656e-6c73657f call 6c748f70 2043->2046 2049 6c736581-6c736595 call 6c748d80 2046->2049 2050 6c7365a0-6c7365af call 6c74a920 2046->2050 2049->2030 2055 6c73659b 2049->2055 2056 6c7365b1-6c7365b6 2050->2056 2057 6c7365bb-6c7365d1 SECITEM_AllocItem_Util 2050->2057 2055->1964 2056->1964 2058 6c7365d3-6c7365d6 2057->2058 2059 6c7365d8-6c7365ed call 6c74a7f0 2057->2059 2058->1964 2059->1964 2062 6c7365ef-6c7365fe call 6c74a920 2059->2062 2065 6c736600-6c736605 2062->2065 2066 6c736607-6c73661d SECITEM_AllocItem_Util 2062->2066 2065->1964 2067 6c736624-6c736639 call 6c74a7f0 2066->2067 2068 6c73661f-6c736622 2066->2068 2067->1964 2071 6c73663b-6c736644 2067->2071 2068->1964 2071->1964
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6C7362F7
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73630E
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,0000001C), ref: 6C736324
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C736337
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013), ref: 6C73633F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C736785
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Arena_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1144393034-0
                                                                                                                                                                                                        • Opcode ID: f3637b123e031208076fd6409409aef1949e2c08b9396751b48e9ebb7252628b
                                                                                                                                                                                                        • Instruction ID: 292e1d57c1359ae16a36e300a1bb93a0a50e8fd9184b42653f9de2f4032f4472
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3637b123e031208076fd6409409aef1949e2c08b9396751b48e9ebb7252628b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35C13272D053249BC710ABA49E49BCB77DCAB44628F480639FE58D7741FB25DA1C82E2
                                                                                                                                                                                                        Function 6C78CAC0 Relevance: 31.8, APIs: 21, Instructions: 318memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 2072 6c78cac0-6c78caef PORT_ArenaMark_Util SECITEM_CopyItem_Util 2073 6c78ce6c-6c78ce83 PORT_ArenaRelease_Util 2072->2073 2074 6c78caf5-6c78cafd 2072->2074 2075 6c78caff-6c78cb0c PORT_SetError_Util 2074->2075 2076 6c78cb11-6c78cb67 2074->2076 2075->2073 2076->2075 2077 6c78cb69-6c78cb8a PORT_ArenaAlloc_Util * 2 2076->2077 2078 6c78cbac-6c78cbb9 PORT_SetError_Util 2077->2078 2079 6c78cb8c-6c78cb8e 2077->2079 2078->2073 2079->2078 2080 6c78cb90-6c78cb97 2079->2080 2081 6c78cb99-6c78cbaa PORT_ArenaAlloc_Util 2080->2081 2082 6c78cbd5 2080->2082 2081->2078 2083 6c78cbbe-6c78cbd3 memcpy 2081->2083 2084 6c78cbdc-6c78cbe8 2082->2084 2083->2084 2085 6c78cc3a 2084->2085 2086 6c78cbea-6c78cbfa PORT_ArenaAlloc_Util 2084->2086 2088 6c78cc41-6c78cc52 2085->2088 2086->2078 2087 6c78cbfc-6c78cc15 PORT_ArenaAlloc_Util 2086->2087 2087->2078 2089 6c78cc17-6c78cc38 memcpy 2087->2089 2090 6c78ccac-6c78ccb3 2088->2090 2091 6c78cc54 2088->2091 2089->2088 2090->2075 2093 6c78ccb9-6c78ccc3 2090->2093 2092 6c78cc56-6c78cc72 2091->2092 2092->2092 2094 6c78cc74-6c78cc7e 2092->2094 2095 6c78cd1a-6c78cd24 2093->2095 2096 6c78ccc5 2093->2096 2094->2090 2099 6c78cc80-6c78cc82 2094->2099 2097 6c78cd26 2095->2097 2098 6c78cd77-6c78cd8a 2095->2098 2100 6c78ccc7-6c78ccec PORT_ArenaAlloc_Util 2096->2100 2101 6c78cd28-6c78cd4d PORT_ArenaAlloc_Util 2097->2101 2102 6c78cd90-6c78cd97 2098->2102 2103 6c78ce44-6c78ce5a PORT_ArenaUnmark_Util 2098->2103 2104 6c78cc86-6c78cca2 2099->2104 2100->2078 2105 6c78ccf2-6c78cd14 memcpy 2100->2105 2101->2078 2107 6c78cd53-6c78cd75 memcpy 2101->2107 2102->2103 2108 6c78cd9d-6c78cdba 2102->2108 2104->2104 2109 6c78cca4-6c78cca8 2104->2109 2105->2100 2106 6c78cd16 2105->2106 2106->2095 2107->2098 2107->2101 2108->2073 2110 6c78cdc0-6c78cdd6 PORT_ArenaAlloc_Util 2108->2110 2109->2090 2110->2078 2111 6c78cddc-6c78cde1 2110->2111 2112 6c78ce3c-6c78ce3e 2111->2112 2113 6c78cde3-6c78cdea 2111->2113 2114 6c78ce68 2112->2114 2116 6c78ce40 2112->2116 2113->2114 2115 6c78cdf0-6c78ce07 2113->2115 2114->2073 2115->2114 2117 6c78ce09-6c78ce21 PORT_ArenaAlloc_Util 2115->2117 2116->2103 2118 6c78ce5b-6c78ce65 PORT_SetError_Util 2117->2118 2119 6c78ce23-6c78ce3a memcpy 2117->2119 2118->2114 2119->2112 2119->2113
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaMark_Util.NSSUTIL3(00000001,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CAD3
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000001,?,?,00000001,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CAE5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CB04
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CB71
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,00000001,?,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CB7B
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,?,?,?,?,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CB9B
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CBB1
                                                                                                                                                                                                        • PORT_ArenaRelease_Util.NSSUTIL3(00000001,?,00000000,00000000,00000000,00000000,?,?,6C78E9AA,00000000,?,?), ref: 6C78CE71
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena$Alloc_$Error_$CopyItem_Mark_Release_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1854098273-0
                                                                                                                                                                                                        • Opcode ID: cd943fa876784eba79e053197cb2e76a0e1dbdb3d013ce6ec1be89a938e34717
                                                                                                                                                                                                        • Instruction ID: e5dbff834a061f2e8a43569b71d8e7480ecbe176d1f93479ebb23a8ada94b107
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd943fa876784eba79e053197cb2e76a0e1dbdb3d013ce6ec1be89a938e34717
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFC1E470A053159FC750DF29CA8891ABBE4FF44309F04463DFA9997B12D335EA18CBA1
                                                                                                                                                                                                        Function 6C741630 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 239COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 2120 6c741630-6c74168f call 6c75cdf0 memset 2123 6c741695-6c7416a4 call 6c7419a0 2120->2123 2124 6c7418cb-6c7418d5 2120->2124 2133 6c7418ba-6c7418c0 2123->2133 2134 6c7416aa-6c7416bb PR_Open 2123->2134 2125 6c7418d7-6c7418dd PORT_Free_Util 2124->2125 2126 6c7418e0-6c7418e6 2124->2126 2125->2126 2128 6c7418f1-6c7418f7 2126->2128 2129 6c7418e8-6c7418ee PORT_Free_Util 2126->2129 2131 6c741902-6c741908 2128->2131 2132 6c7418f9-6c7418ff PORT_Free_Util 2128->2132 2129->2128 2136 6c741913-6c74192a call 6c75cdae 2131->2136 2137 6c74190a-6c741910 PORT_Free_Util 2131->2137 2132->2131 2133->2124 2135 6c7418c2-6c7418c8 PORT_Free_Util 2133->2135 2138 6c7416c1-6c7416d8 PR_Read 2134->2138 2139 6c741879-6c741887 PORT_Free_Util 2134->2139 2135->2124 2137->2136 2138->2139 2143 6c7416de-6c7416e6 2138->2143 2140 6c741897 2139->2140 2141 6c741889-6c741895 PR_Close 2139->2141 2144 6c74189d-6c74189f 2140->2144 2141->2144 2143->2139 2146 6c7416ec-6c7416f4 2143->2146 2148 6c7418a7-6c7418a9 2144->2148 2149 6c7418a1-6c7418a4 PR_Close 2144->2149 2146->2139 2147 6c7416fa-6c741702 2146->2147 2147->2139 2150 6c741708-6c741710 2147->2150 2148->2133 2151 6c7418ab-6c7418ad 2148->2151 2149->2148 2150->2139 2153 6c741716-6c74173f call 6c741970 PR_Seek call 6c741a10 2150->2153 2151->2133 2152 6c7418af-6c7418b7 2151->2152 2152->2133 2153->2139 2159 6c741745-6c741755 call 6c741a10 2153->2159 2159->2139 2162 6c74175b-6c74176b call 6c741a10 2159->2162 2162->2139 2165 6c741771-6c741781 call 6c741a10 2162->2165 2165->2139 2168 6c741787-6c741797 call 6c741a10 2165->2168 2168->2139 2171 6c74179d-6c7417bd PR_Close call 6c7391b0 call 6c728cc0 2168->2171 2171->2139 2176 6c7417c3-6c7417d7 PR_Open 2171->2176 2176->2139 2177 6c7417dd-6c7417e6 2176->2177 2177->2139 2179 6c7417ec-6c74180b PR_Read 2177->2179 2181 6c74180d 2179->2181 2182 6c74183a-6c74186f PR_Close call 6c73c660 2179->2182 2183 6c741810-6c741838 PR_Read 2181->2183 2182->2139 2188 6c741871 2182->2188 2183->2182 2188->2139
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C741675
                                                                                                                                                                                                        • PR_Open.NSPR4(00000000,00000001,00000000,?,6C74160F,00000000), ref: 6C7416AE
                                                                                                                                                                                                        • PR_Read.NSPR4(00000000,?,0000000C), ref: 6C7416CC
                                                                                                                                                                                                        • PR_Seek.NSPR4(00000000,00000000), ref: 6C741729
                                                                                                                                                                                                          • Part of subcall function 6C741A10: PR_Read.NSPR4(?,?,00000004,?,6C74173A,00000000,?), ref: 6C741A1C
                                                                                                                                                                                                          • Part of subcall function 6C741A10: PORT_Alloc_Util.NSSUTIL3(?,00000000,?,?,?), ref: 6C741A5A
                                                                                                                                                                                                          • Part of subcall function 6C741A10: PR_Read.NSPR4(?,00000000,?,00000000,?,?,?), ref: 6C741A71
                                                                                                                                                                                                          • Part of subcall function 6C741A10: PORT_Free_Util.NSSUTIL3(?), ref: 6C741A82
                                                                                                                                                                                                        • PR_Close.NSPR4(00000000), ref: 6C74179E
                                                                                                                                                                                                          • Part of subcall function 6C7391B0: PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C7391BD
                                                                                                                                                                                                        • PR_Open.NSPR4(?,00000001,00000000), ref: 6C7417CA
                                                                                                                                                                                                        • PR_Read.NSPR4(00000000,?,00001000), ref: 6C741800
                                                                                                                                                                                                        • PR_Read.NSPR4(00000000,?,00001000), ref: 6C74182D
                                                                                                                                                                                                        • PR_Close.NSPR4(00000000), ref: 6C74183B
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C74187D
                                                                                                                                                                                                        • PR_Close.NSPR4(00000000), ref: 6C741890
                                                                                                                                                                                                        • PR_Close.NSPR4(00000000), ref: 6C7418A2
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,6C74160F,00000000), ref: 6C7418C3
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C7418D8
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C7418E9
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C7418FA
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C74190B
                                                                                                                                                                                                          • Part of subcall function 6C7419A0: PORT_Alloc_Util.NSSUTIL3(?,00000000,?,00000000,00000000,6C74169B,?), ref: 6C7419BD
                                                                                                                                                                                                          • Part of subcall function 6C7419A0: strncmp.MSVCR120 ref: 6C7419D9
                                                                                                                                                                                                          • Part of subcall function 6C7419A0: memcpy.MSVCR120(00000000,?,?,?,6C74160F,00000000), ref: 6C7419EB
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Read$Close$Alloc_Open$Error_Seekmemcpymemsetstrncmp
                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                        • API String ID: 780958896-2766056989
                                                                                                                                                                                                        • Opcode ID: f58369d60d717118310ff17d7f7d90342ce113e909b51c743671bb7b80e2d950
                                                                                                                                                                                                        • Instruction ID: 050d6f55b780015b1d6162bb357905482ff155cfb56bddfde3b6b742a4d36787
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f58369d60d717118310ff17d7f7d90342ce113e909b51c743671bb7b80e2d950
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 107105B1E043446BE710AB628E48FEB77ECAF45368F444938F999C2600EB74D568C793
                                                                                                                                                                                                        Function 6C7367A0 Relevance: 28.8, APIs: 19, Instructions: 292memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 2479 6c7367a0-6c7367aa 2480 6c7367b0-6c7367b4 2479->2480 2481 6c736ab9-6c736acd PORT_SetError_Util 2479->2481 2480->2481 2482 6c7367ba-6c7367cc PORT_NewArena_Util 2480->2482 2483 6c7367e4-6c7367f4 PORT_ArenaZAlloc_Util 2482->2483 2484 6c7367ce-6c7367e3 PORT_SetError_Util 2482->2484 2485 6c7367f6-6c736814 PORT_SetError_Util PORT_FreeArena_Util 2483->2485 2486 6c736815-6c736839 call 6c749880 2483->2486 2489 6c7369ca-6c7369f7 call 6c748ed0 * 4 2486->2489 2490 6c73683f-6c736850 call 6c749880 2486->2490 2507 6c736aa0-6c736aa2 2489->2507 2508 6c7369fd-6c736a00 2489->2508 2490->2489 2495 6c736856-6c736867 call 6c749880 2490->2495 2495->2489 2501 6c73686d-6c73687e call 6c749880 2495->2501 2501->2489 2509 6c736884-6c73689d SECITEM_CopyItem_Util 2501->2509 2512 6c736aa4-6c736aac PORT_FreeArena_Util 2507->2512 2513 6c736aaf-6c736ab8 2507->2513 2510 6c736a02-6c736a05 2508->2510 2511 6c736a7b-6c736a9f PORT_SetError_Util PORT_FreeArena_Util 2508->2511 2509->2489 2514 6c7368a3-6c7368ba call 6c749f60 2509->2514 2515 6c736a07-6c736a0a 2510->2515 2516 6c736a56-6c736a7a PORT_SetError_Util PORT_FreeArena_Util 2510->2516 2512->2513 2514->2489 2521 6c7368c0-6c7368d9 SECITEM_CopyItem_Util 2514->2521 2518 6c736a31-6c736a55 PORT_SetError_Util PORT_FreeArena_Util 2515->2518 2519 6c736a0c-6c736a30 PORT_SetError_Util PORT_FreeArena_Util 2515->2519 2521->2489 2522 6c7368df-6c7368f6 call 6c749f60 2521->2522 2522->2489 2525 6c7368fc-6c736935 call 6c737080 SECITEM_AllocItem_Util call 6c72c200 call 6c749f60 2522->2525 2525->2489 2532 6c73693b-6c736956 call 6c749a40 2525->2532 2532->2489 2535 6c736958-6c736978 call 6c746b50 2532->2535 2535->2489 2538 6c73697a-6c736989 call 6c74a920 2535->2538 2541 6c736990-6c7369a4 SECITEM_AllocItem_Util 2538->2541 2542 6c73698b-6c73698e 2538->2542 2543 6c7369a6-6c7369a9 2541->2543 2544 6c7369ab-6c7369c0 call 6c74a7f0 2541->2544 2542->2489 2543->2489 2544->2489 2547 6c7369c2-6c7369c8 2544->2547 2547->2489
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6C7367C0
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C7367D3
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000034), ref: 6C7367E8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C7367FB
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013), ref: 6C736803
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C736ABE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Arena_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1144393034-0
                                                                                                                                                                                                        • Opcode ID: 4792b8e136291e283de9aae7f51ce81b3d9de773c31f00a8248ee1c6c695cdd5
                                                                                                                                                                                                        • Instruction ID: 2b1c5a59bb9b8ef5af5fe52b174bd936f77de1343451854d580361b420be455d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4792b8e136291e283de9aae7f51ce81b3d9de773c31f00a8248ee1c6c695cdd5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC8148B380532427C600AAA49E4DADB7B9CFB44328F440739FE59D6B41EB65DA2C47D2
                                                                                                                                                                                                        Function 6C7381A0 Relevance: 28.7, APIs: 19, Instructions: 243memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 2548 6c7381a0-6c7381b2 2549 6c738444-6c738458 PORT_SetError_Util 2548->2549 2550 6c7381b8-6c7381bd 2548->2550 2550->2549 2551 6c7381c3-6c7381c8 2550->2551 2551->2549 2552 6c7381ce-6c7381d3 2551->2552 2552->2549 2553 6c7381d9-6c7381eb PORT_NewArena_Util 2552->2553 2554 6c7381f6-6c738209 PORT_ArenaZAlloc_Util 2553->2554 2555 6c7381ed-6c7381f5 2553->2555 2556 6c738220-6c738265 SECITEM_AllocItem_Util SECITEM_CopyItem_Util 2554->2556 2557 6c73820b-6c73821f PORT_FreeArena_Util 2554->2557 2558 6c73826b-6c738292 SECITEM_CopyItem_Util 2556->2558 2559 6c73841e-6c73842d call 6c748ed0 2556->2559 2558->2559 2560 6c738298-6c7382ad SECITEM_CopyItem_Util 2558->2560 2565 6c73843a-6c738443 2559->2565 2566 6c73842f-6c738437 PORT_FreeArena_Util 2559->2566 2560->2559 2562 6c7382b3-6c7382c8 SECITEM_CopyItem_Util 2560->2562 2562->2559 2564 6c7382ce-6c7382e3 SECITEM_CopyItem_Util 2562->2564 2564->2559 2567 6c7382e9-6c7382fe SECITEM_CopyItem_Util 2564->2567 2566->2565 2567->2559 2568 6c738304-6c73831f SECITEM_CopyItem_Util 2567->2568 2568->2559 2569 6c738325-6c738340 SECITEM_CopyItem_Util 2568->2569 2569->2559 2570 6c738346-6c738386 SECITEM_AllocItem_Util * 2 2569->2570 2571 6c738388-6c73839c memcpy 2570->2571 2572 6c73839e-6c7383ca memset memcpy 2570->2572 2573 6c7383cd-6c7383dc call 6c749880 2571->2573 2572->2573 2573->2559 2576 6c7383de-6c7383f7 call 6c749f60 2573->2576 2576->2559 2579 6c7383f9-6c738416 call 6c738490 2576->2579 2579->2559 2582 6c738418-6c73841c 2579->2582 2582->2559
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000), ref: 6C7381DF
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000000A8,?,?,?,?,00000000,?), ref: 6C7381FD
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,?,?,?,?,?,00000000,?), ref: 6C73820E
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C738449
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Alloc_ArenaError_Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3977766762-0
                                                                                                                                                                                                        • Opcode ID: 44c3d6dcbf9fca98ac4cc8bd8f0261ac94b6e525337edbd447402e39e9b5e8f9
                                                                                                                                                                                                        • Instruction ID: 7b0c1473c54c85f940527d3419e2dadbacffe8a85a75919ce4ebca12d8230462
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44c3d6dcbf9fca98ac4cc8bd8f0261ac94b6e525337edbd447402e39e9b5e8f9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC817D72400714AFD711EF64CA85F9777ECEB48214F58052AED6EC7B02EB39E5188BA1
                                                                                                                                                                                                        Function 6C7C4B40 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 325COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7C4C16
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000), ref: 6C7C4C46
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?), ref: 6C7C4F1C
                                                                                                                                                                                                        • sqlite3_errcode.SQLITE3(00000000), ref: 6C7C4F3A
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free$memsetsqlite3_errcode
                                                                                                                                                                                                        • String ID: BINARY$MATCH$NOCASE$RTRIM$cd0b37c52658bfdf992b1e3dc467bae1835a94ae$misuse at line %d of [%.10s]$temp
                                                                                                                                                                                                        • API String ID: 467454842-3795481504
                                                                                                                                                                                                        • Opcode ID: fc0afd695015bde761a98a0448f86408c08c87d350baf69c52da90a939dab852
                                                                                                                                                                                                        • Instruction ID: 93aa9e7efe566c70a8cc42c4f8f375bba9aff37642094b1f63afd38493b3e054
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc0afd695015bde761a98a0448f86408c08c87d350baf69c52da90a939dab852
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77B1C6B17443026FEB109F14CE89BA636E8AB0131CF040974FD55AEB82D779D518D7A6
                                                                                                                                                                                                        Function 6C78BD00 Relevance: 25.7, APIs: 17, Instructions: 182COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,6C786331,00000000), ref: 6C78BD06
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000), ref: 6C78BD19
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_Error_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1115575410-0
                                                                                                                                                                                                        • Opcode ID: 3a295463e30bf3c9e4953bdead8d1afacec0b56e236d8d0029aeee9756bce57f
                                                                                                                                                                                                        • Instruction ID: 5ffe64c0311d9df4c91f228e30c7bbd42d6fe5955d2c74633a2b656b9f5e544d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a295463e30bf3c9e4953bdead8d1afacec0b56e236d8d0029aeee9756bce57f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D65193B25025117BE7418A91EEC6AD673ACAF15219B044376EE18CAB05F720F71DC7F1
                                                                                                                                                                                                        Function 6C78E1F0 Relevance: 25.7, APIs: 17, Instructions: 161memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,?,6C78C131,?,?,?,?,00000000,00000000), ref: 6C78E1F9
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 6C78E20C
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000034,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 6C78E21E
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 6C78E231
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C78E23C
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_Error_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2983971270-0
                                                                                                                                                                                                        • Opcode ID: dfd0a6c1b02d4460ef135bbb1f5e2e934ca49d66a545d388523fa76906ed3022
                                                                                                                                                                                                        • Instruction ID: f04b7505eba424763a1a5cb784580783162b52c12f1f7951291ded93626feefb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dfd0a6c1b02d4460ef135bbb1f5e2e934ca49d66a545d388523fa76906ed3022
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D417BB5A017045BE3214FB5AE48BAB77E8AF4120CF04473DEA45C6F10E736E6098BE1
                                                                                                                                                                                                        Function 6C78ED80 Relevance: 24.3, APIs: 16, Instructions: 300memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78EDEA
                                                                                                                                                                                                        • memcpy.MSVCR120(00000009,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78EE1D
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78EEA0
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,00000000), ref: 6C78EEBE
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C78EECC
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78EEFC
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78EF10
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlockUtil$Alloc_Free_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 166647195-0
                                                                                                                                                                                                        • Opcode ID: 81a3d3ca721014da71356dc0ec4976583d75b696f299cab32443c70823034535
                                                                                                                                                                                                        • Instruction ID: b7a2e74973a0b7e84856c21c73a81c2a777bcd443b31d739a04717d6f87ecf6a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81a3d3ca721014da71356dc0ec4976583d75b696f299cab32443c70823034535
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33A12771605301AFE700DF64CD84A9BBBF8AF55214F084579FAA8C7741E735EA09CBA2
                                                                                                                                                                                                        Function 6C73E8B0 Relevance: 24.3, APIs: 16, Instructions: 262memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?,00000000,00000000,?,6C73EE81,?,?,?,?,?), ref: 6C73E8D1
                                                                                                                                                                                                        • SECITEM_CompareItem_Util.NSSUTIL3(?,?,?), ref: 6C73E8F7
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(0000033C,?), ref: 6C73E918
                                                                                                                                                                                                        • PR_WaitCondVar.NSPR4(000000FF,?), ref: 6C73E977
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?), ref: 6C73E983
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,00000000,00000000,?,6C73EE81,?,?,?,?,?), ref: 6C73E99E
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,0000033C,?,?,?,?,?,?), ref: 6C73E9B5
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?), ref: 6C73E9C5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?), ref: 6C73E9EE
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?), ref: 6C73EA04
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C73EA1F
                                                                                                                                                                                                        • PR_NotifyAllCondVar.NSPR4 ref: 6C73EAD8
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?,?), ref: 6C73EB6A
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?), ref: 6C73EB80
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?), ref: 6C73EB96
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Unlock$Cond$Alloc_CompareFree_Item_LockNotifyWait
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 928305141-0
                                                                                                                                                                                                        • Opcode ID: 427fd4cc9778c04dffdc7fafc7d1c063b25ec416c73adef53705f5d5a9862bdc
                                                                                                                                                                                                        • Instruction ID: ddca3aaa8beee05577be3c060199627740c980c71a2608278beb4afda4ae846c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 427fd4cc9778c04dffdc7fafc7d1c063b25ec416c73adef53705f5d5a9862bdc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 529115716043298BDB119F64DE48A4B7BB5FF45318F140639F92D82652E732D928CBE2
                                                                                                                                                                                                        Function 6C7A5535 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 379COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_step.SQLITE3(?), ref: 6C7A55E4
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7A564E
                                                                                                                                                                                                        • sqlite3_errmsg.SQLITE3(?), ref: 6C7A5987
                                                                                                                                                                                                        • sqlite3_errmsg.SQLITE3(?,00000001), ref: 6C7A59C6
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000001), ref: 6C7A59D1
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_errmsg$memcpymemsetsqlite3_step
                                                                                                                                                                                                        • String ID: API call with %s database connection pointer$cd0b37c52658bfdf992b1e3dc467bae1835a94ae$d$d$d$e$invalid$misuse at line %d of [%.10s]
                                                                                                                                                                                                        • API String ID: 3439753543-3498987161
                                                                                                                                                                                                        • Opcode ID: 60cd8d5ee9f75eb57301a9ee4eb9255bd4c9ad37957c07d7cb7d91e84aead784
                                                                                                                                                                                                        • Instruction ID: 02fd7d5a66f3099f444cf2037e379352006a6a4d65ef75d0368a832d8c66663c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60cd8d5ee9f75eb57301a9ee4eb9255bd4c9ad37957c07d7cb7d91e84aead784
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78D127B19057419FD790CFA5EE84B1A77E4AF40718F140A3CF895ABB51E331E846CB92
                                                                                                                                                                                                        Function 6C7813F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 126fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_smprintf.NSPR4(%s/%s,?,?,?,?,?,?,?,6C7811B3,?,?), ref: 6C781449
                                                                                                                                                                                                        • PR_OpenFile.NSPR4(00000000,00000001,00000000,6C7811B3,?,?), ref: 6C781462
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(?), ref: 6C78146E
                                                                                                                                                                                                        • PR_CreateFileMap.NSPR4(00000000,?,?,00000000), ref: 6C7814A7
                                                                                                                                                                                                        • PR_GetError.NSPR4 ref: 6C7814B6
                                                                                                                                                                                                          • Part of subcall function 6C781000: PORT_Alloc_Util.NSSUTIL3(?), ref: 6C781007
                                                                                                                                                                                                        • PR_MemMap.NSPR4(00000000,00000000,00000000,?), ref: 6C7814D5
                                                                                                                                                                                                        • PR_Close.NSPR4(00000000), ref: 6C7814E7
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE012,00000000,?,?,?,?,?,6C7811B3,?,?), ref: 6C781519
                                                                                                                                                                                                        • PR_GetError.NSPR4(?,?), ref: 6C78151E
                                                                                                                                                                                                        • PR_CloseFileMap.NSPR4(00000000), ref: 6C78152B
                                                                                                                                                                                                        • PR_Close.NSPR4(00000000), ref: 6C781539
                                                                                                                                                                                                        • PR_SetError.NSPR4(00000000,00000000), ref: 6C781545
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error$CloseFile$Alloc_CreateOpenR_smprintfR_smprintf_freeUtil
                                                                                                                                                                                                        • String ID: %s/%s
                                                                                                                                                                                                        • API String ID: 1058884531-2758257063
                                                                                                                                                                                                        • Opcode ID: 121bd6947f598f1222cb107f0fdc7f81d51a9be3af56d8a6112a66ce5dcc3fb7
                                                                                                                                                                                                        • Instruction ID: 4a5dac59bd9a2d67643748f4282b87d60a31e515ac0d173927394d0f62738d7c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 121bd6947f598f1222cb107f0fdc7f81d51a9be3af56d8a6112a66ce5dcc3fb7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD412471A063105FD7028F2C9D48B277BF8EF82215F254179F96A87282EB36D406C7A5
                                                                                                                                                                                                        Function 6C741240 Relevance: 22.7, APIs: 15, Instructions: 228memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,?,?,?,?,?), ref: 6C74128C
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?), ref: 6C74129F
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,00000000,?,?,?,?,?), ref: 6C741320
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00A,00000000,?,?,?,?,00000000,?,?,?,?,?), ref: 6C74132A
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00A,?,?,?,?), ref: 6C741488
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3186423673-0
                                                                                                                                                                                                        • Opcode ID: 25beaf91406e3370132d00c07b49069d07e5bb7fcab9b039e21c612a8774d5ed
                                                                                                                                                                                                        • Instruction ID: 1295e15e23c21b1f0f1c1aceb746eb4f27ecc1ef6ddf7ead888290ef2f7e8207
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25beaf91406e3370132d00c07b49069d07e5bb7fcab9b039e21c612a8774d5ed
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0619D71A082101BC701AF3CDE8569E7FA1AF85238F548378F965CAB91C726D52E8393
                                                                                                                                                                                                        Function 6C73F640 Relevance: 21.5, APIs: 14, Instructions: 458memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F,?,00000000,?,?,?,?,00000000), ref: 6C73F71A
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6C73F7CA
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6C73F81F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,00000000), ref: 6C73FB21
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,00000000), ref: 6C73FB38
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,00000000), ref: 6C73FB4F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,00000000), ref: 6C73FB66
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$AllocItem_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4233208270-0
                                                                                                                                                                                                        • Opcode ID: f1cd46863d5a776ea7b69a2b3c0953edadd944028aa4ad3b5d2b2a67bfc68b97
                                                                                                                                                                                                        • Instruction ID: 97d46015848728eee81bf2cea0fa48035657e4b290cfa1b84cc7ebf722eaefc1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1cd46863d5a776ea7b69a2b3c0953edadd944028aa4ad3b5d2b2a67bfc68b97
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9E109726403145BE300DAA98F88A9B77ECFF05258F04063AFE58C2B52FB65E50C8792
                                                                                                                                                                                                        Function 6C73D6B0 Relevance: 21.2, APIs: 14, Instructions: 235memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6C73D70B
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73D722
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000070), ref: 6C73D737
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73D74A
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013), ref: 6C73D752
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(?,00000004,00000001), ref: 6C73D7EE
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(00000000), ref: 6C73D81A
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73D957
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Arena_$AllocAlloc_ArenaFreeItem_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3283120434-0
                                                                                                                                                                                                        • Opcode ID: f3dfc1b37265138c970c14ee4ed20c5c1f6d90f882a892761a621519d6b09541
                                                                                                                                                                                                        • Instruction ID: b7f1b0d123ccbbcee68d9f628181759e3bab7adbe54848315abafc0bf3905227
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3dfc1b37265138c970c14ee4ed20c5c1f6d90f882a892761a621519d6b09541
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C613AB291432557E700AAA5CE89BCF7BDCEFA4218F440539FA48C2711EB65D51C83D3
                                                                                                                                                                                                        Function 6C78CF70 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012,6C78EC73,?,?,?,?,00000000), ref: 6C78CF7E
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012,?,?,6C78EC73,?,?,?,?,00000000), ref: 6C78CFBB
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID: Server-Cert
                                                                                                                                                                                                        • API String ID: 1971245937-580305613
                                                                                                                                                                                                        • Opcode ID: 6f8dab2bcd06027778adae8bf70d61b345f0cfa6bfefa96bb089b8d09a0808cb
                                                                                                                                                                                                        • Instruction ID: fda9dd049fc93c6580f6979eeea7328c749c99139abf7860a39d031a2dddc479
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f8dab2bcd06027778adae8bf70d61b345f0cfa6bfefa96bb089b8d09a0808cb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC417CB16092022AE7104F79AD586A77BE4DF9121DF04463EE99EC6F40E73AD30DC7A1
                                                                                                                                                                                                        Function 6C78E9D0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,6C7902F9,?,6C79058D,?), ref: 6C78E9DB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,6C7902F9,?,6C79058D,?), ref: 6C78E9EE
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,6C7902F9,?,6C79058D,?), ref: 6C78EA04
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,6C7902F9,?,6C79058D,?), ref: 6C78EA17
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,6C7902F9,?,6C79058D,?), ref: 6C78EA21
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Error_$Free
                                                                                                                                                                                                        • String ID: Version
                                                                                                                                                                                                        • API String ID: 1635372823-1889659487
                                                                                                                                                                                                        • Opcode ID: d286532c9d0756e5ff3656e19f499aaa25ff42349d2625882df551fa4b1ba0d7
                                                                                                                                                                                                        • Instruction ID: 592f1e04a3c6f368706c9fc53ef90a47753d37fbf66d1dad0127b085c493e127
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d286532c9d0756e5ff3656e19f499aaa25ff42349d2625882df551fa4b1ba0d7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70216D76E441101AE3506A947D4DBEB3694EB81229F440235FE09D5761F72DD71D43F3
                                                                                                                                                                                                        Function 6C73CC80 Relevance: 19.7, APIs: 13, Instructions: 238memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?), ref: 6C73CCB7
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,?,?,6C73C414,?), ref: 6C73CCCA
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000040,?), ref: 6C73CCDF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?), ref: 6C73CCF2
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,FFFFE013,?,?), ref: 6C73CCFA
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?,?,?,?,?,?,6C73C414,?), ref: 6C73CF29
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Arena_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1144393034-0
                                                                                                                                                                                                        • Opcode ID: 962a871e5ec675fb583eb762b80072eb073b333e4dc3061630612bcc3814de83
                                                                                                                                                                                                        • Instruction ID: 688411094d13b32b96adf3976bb5301f4f8e4643359ad3a7f578ad1a2846439d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 962a871e5ec675fb583eb762b80072eb073b333e4dc3061630612bcc3814de83
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B71F2B38017356BD700AAA08E08BDB77DCAF44229F484725FD5897B41E739DA1C97E2
                                                                                                                                                                                                        Function 6C72BF00 Relevance: 19.7, APIs: 13, Instructions: 211memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000020,?,6C76E3F0), ref: 6C72BF12
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,6C76E3F0,?,?,?,?,?,?,?,?,?,?,?,?,?,6C72C376), ref: 6C72BF25
                                                                                                                                                                                                        • PORT_GetError_Util.NSSUTIL3(?,?,?,?,?,?,?,?,6C76E3F0), ref: 6C72BF2D
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000050,?,?,?,?,?,?,?,?,6C76E3F0), ref: 6C72BF3F
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,6C75FF08,00000020,6C76E3F0), ref: 6C72BF5F
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,00000020,6C770840,00000000,00000020,00000000,6C75FF08,00000020,6C76E3F0), ref: 6C72BF76
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,6C75FF08,00000050,?,?,?,?,?,?,?,?,?,6C76E3F0), ref: 6C72BF9A
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,00000050,6C770840,00000000,00000050,00000000,6C75FF08,00000050), ref: 6C72BFB1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C72C0AB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,?,6C76E3F0), ref: 6C72C1A0
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Free_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1448602708-0
                                                                                                                                                                                                        • Opcode ID: 100e59e6c2115aadc514fd930e931cbd6b5cfd1d63f75084d8d78df0d78de12b
                                                                                                                                                                                                        • Instruction ID: 0c2c6c90916c0cf1c78cee44336298b1758f3d821886aeba9a5a1b25dfdf3377
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 100e59e6c2115aadc514fd930e931cbd6b5cfd1d63f75084d8d78df0d78de12b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8619EB1A0434056F32077348F0FB9A37705B2136EF980674F955AAFC1EB29E64986A7
                                                                                                                                                                                                        Function 6C783AC0 Relevance: 19.7, APIs: 13, Instructions: 157memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3 ref: 6C783AD5
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000038,?,00000000,?,00000018,?,?,00000000), ref: 6C783AEB
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,0000000C,00000000,00000038,?,00000000,?,00000018,?,?,00000000), ref: 6C783AF5
                                                                                                                                                                                                        • SEC_ASN1EncodeInteger_Util.NSSUTIL3(00000000,00000004,00000000,?,?,?,?,00000000,?,00000018,?,?,00000000), ref: 6C783B18
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6C7975F0,?,00000000,?,?,?,?,?,?,?,00000000,?,00000018), ref: 6C783B52
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6C797750,?), ref: 6C783B7C
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000000,?,6C7975A0,?), ref: 6C783B9E
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6C797790,?), ref: 6C783BC4
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000028,?,6C797820,?,000000AE,00000000), ref: 6C783C00
                                                                                                                                                                                                        • SECOID_SetAlgorithmID_Util.NSSUTIL3(00000000,00000010,00000010,00000000,?,?,?,?,00000000), ref: 6C783C27
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,?,00000000,6C797880,00000000,?,?,?,?,?,?,?,00000000,?,00000018), ref: 6C783C41
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C783C77
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001,?,?,?,?,00000000,?,00000018,?,?,00000000), ref: 6C783C85
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$EncodeItem_$Alloc_ArenaArena_$AlgorithmCopyFreeInteger_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1424342863-0
                                                                                                                                                                                                        • Opcode ID: 95fd95bacbf0400cc09dc31048e25ce0f91b981ce0e9d337c30f2a35ec183efe
                                                                                                                                                                                                        • Instruction ID: ba5a2149adbbac73814488bbb5f1cd4127272d496cc565ee6a693e70f875b2b6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95fd95bacbf0400cc09dc31048e25ce0f91b981ce0e9d337c30f2a35ec183efe
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF412AB144220467E700AB685F89FFB32AC9F01658F444678FE28E76C1FB60D70887B2
                                                                                                                                                                                                        Function 6C793280 Relevance: 19.6, APIs: 13, Instructions: 115COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: free$_errno$_close_unlink
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1503863391-0
                                                                                                                                                                                                        • Opcode ID: f2731028d43f4ffebeb059972d46307d9c5a35d3ee5957feacae66055966c9e2
                                                                                                                                                                                                        • Instruction ID: 0b7bab24158cbf74c5341b00e562a748a822896c988aaa41bc66e67dc3f295ba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2731028d43f4ffebeb059972d46307d9c5a35d3ee5957feacae66055966c9e2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8416B706017048FEB109F39ED89BD7B3A8EF05318F144839E9AE83650DB31F558DAA6
                                                                                                                                                                                                        Function 6C788AC0 Relevance: 18.3, APIs: 12, Instructions: 287memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000001), ref: 6C788B50
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C788B69
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C788B8B
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,00000000,00000000,6C7886E0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C788BA9
                                                                                                                                                                                                        • PORT_Realloc_Util.NSSUTIL3(?,00000000,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 6C788D7D
                                                                                                                                                                                                          • Part of subcall function 6C78FE70: PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,00000003,?,?,?,?,?,?,?,?,?,?,?), ref: 6C78FE7C
                                                                                                                                                                                                          • Part of subcall function 6C789150: PORT_Alloc_Util.NSSUTIL3(00000004,?,?,6C788C1E,?,00000000,00000000,?), ref: 6C789183
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_$Arena_Free_Realloc_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3569415626-0
                                                                                                                                                                                                        • Opcode ID: b4fab0640ab1dc632a1e1732b04827a7d33bf266036453e209d121570c393932
                                                                                                                                                                                                        • Instruction ID: 9005118ca1b2db1b8ca553945d742d8651cf72fc01dfc4f217496457d7aee039
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4fab0640ab1dc632a1e1732b04827a7d33bf266036453e209d121570c393932
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8EA1A3B1406301ABD7009F64DA49B9BB7E8EF55348F00493EFA5597B11E735EA08CBA2
                                                                                                                                                                                                        Function 6C72C3D0 Relevance: 18.1, APIs: 12, Instructions: 146COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,6C72C213,?,?), ref: 6C72C3DE
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,6C72C213,?,?), ref: 6C72C3FD
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: cd2dcb62edbe8b7f8d80e23541141fb32d563b75f42a71b54cb8a1c3127130e2
                                                                                                                                                                                                        • Instruction ID: 4369139ba2f12686fa13400ca20099fe5ea0ff4b0b8d518b6a2ae6ecff919df5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd2dcb62edbe8b7f8d80e23541141fb32d563b75f42a71b54cb8a1c3127130e2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 764190B12443006BF7206639ED4DBE77F54DF4031AF20013DF9AA81681EB6AE95482B2
                                                                                                                                                                                                        Function 6C7828E0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 140memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000024,?,?,?,00000000,6C789C69,?,?,?,6C789EA0,00000000,?), ref: 6C7828E6
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?), ref: 6C7828F9
                                                                                                                                                                                                        • PR_NewLock.NSPR4(?), ref: 6C78292C
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(?), ref: 6C782963
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6C78297B
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(?), ref: 6C782990
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C782A2F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C782A3C
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,00000000), ref: 6C782A5F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Strdup_$Error_Free_$Alloc_Lock
                                                                                                                                                                                                        • String ID: key
                                                                                                                                                                                                        • API String ID: 3089373587-2324736937
                                                                                                                                                                                                        • Opcode ID: 6a4abcf65414ad606c3f494ddaef07f8346efe78dddd6cddc28f2c50527cc693
                                                                                                                                                                                                        • Instruction ID: f0070f757770a223450c9f72a9935ff6621c3baaabd1483afe0338a1e3f5efa3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a4abcf65414ad606c3f494ddaef07f8346efe78dddd6cddc28f2c50527cc693
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26410BB19063015BD7205FA5DF0CB5B7AE89F84319F04063CFA9AA2B50E779D60C87A3
                                                                                                                                                                                                        Function 6C78AEE0 Relevance: 16.7, APIs: 11, Instructions: 178memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,?,6C78269E,?), ref: 6C78AEE9
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000098), ref: 6C78AF03
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,?), ref: 6C78AF4B
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,?,6C7974E0,?), ref: 6C78AF67
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6C78AF76
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_Item_$Alloc_ArenaCopyDecodeFreeQuick
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 171508100-0
                                                                                                                                                                                                        • Opcode ID: 82883abfb56852d0dbf2b5cc4e0f7c0a28b8a41b69b2981781ff2cfcedb3519b
                                                                                                                                                                                                        • Instruction ID: 9f0d032199732f99d637ef8c1cdb78661da8d94a4b925c1530d3190bcb40b029
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82883abfb56852d0dbf2b5cc4e0f7c0a28b8a41b69b2981781ff2cfcedb3519b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A5181B16053005BD3508B69DD44B9BB7E8EF85758F44893EE9A9C2B10F335D6098B92
                                                                                                                                                                                                        Function 6C78E0D0 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,6C78F389,?,00000000,6C790AEA,6C78F389,?,?,?,00000000,?,?), ref: 6C78E0D8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?), ref: 6C78E0EB
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000038,00000000,?,?), ref: 6C78E0FC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000,?,?), ref: 6C78E10F
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,00000000,?,?), ref: 6C78E11A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_Error_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2983971270-0
                                                                                                                                                                                                        • Opcode ID: b4aef1a1e780983a4ec0e12ad7dc8e7822d4dcb640d6f51c1f316fe029b13754
                                                                                                                                                                                                        • Instruction ID: a53ccb7d61c586f522b6f4db275a680a49efe79f76cf9deab287ae0d82549013
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4aef1a1e780983a4ec0e12ad7dc8e7822d4dcb640d6f51c1f316fe029b13754
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6314BB5A013015BE7519AA5AE48BBB73E8AF8069DF14063DE945C2F00E725D70D87E2
                                                                                                                                                                                                        Function 6C78D4F0 Relevance: 16.6, APIs: 11, Instructions: 91COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_EnterMonitor.NSPR4(?,00000014,0000002C,6C78FCFB,6C78A880), ref: 6C78D50F
                                                                                                                                                                                                        • PR_Lock.NSPR4(00000000,00000014,0000002C,6C78FCFB,6C78A880), ref: 6C78D51F
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,00000000,?,?,6C78F256,?,?,?,00000000), ref: 6C78D537
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(CB3BDE2B,00000000,?,?,?,00000000,?,?,6C78F256,?,?,?,00000000), ref: 6C78D56E
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(CB8B0A76,00000000,?,?,?,00000000,?,?,6C78F256,?,?,?,00000000), ref: 6C78D58B
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(8B2D79C9,00000000,?,?,?,00000000,?,?,6C78F256,?,?,?,00000000), ref: 6C78D5A5
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C78D5C6
                                                                                                                                                                                                        • PR_Lock.NSPR4(6C78A880,00000000,00000428,00000000,?,?,?,00000000,?,?,6C78F256,?,?,?,00000000), ref: 6C78D5D1
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(6C78A880,?,?,?,?,?,?,?,?,?,?,?,?,6C78F256,?,?), ref: 6C78D5E5
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,6C78F256,?,?), ref: 6C78D608
                                                                                                                                                                                                        • PR_ExitMonitor.NSPR4(?), ref: 6C78D61F
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free_Util$LockMonitorUnlock$EnterExitmemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 160986327-0
                                                                                                                                                                                                        • Opcode ID: 354611f83f47c313cbd4a557c5176486c16cd1cc10f5034135a4ffff26d14d9e
                                                                                                                                                                                                        • Instruction ID: 688c38d56a863a1595d66450b9dabb8ec754d1efd27ceca35c4e4a16477c8669
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 354611f83f47c313cbd4a557c5176486c16cd1cc10f5034135a4ffff26d14d9e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF31C670702203ABFF048F25D945B5AB774BF6134DF20413BE92D82A44EB32E569CB95
                                                                                                                                                                                                        Function 6C782EA0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 279COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C782880: PORT_ZAlloc_Util.NSSUTIL3(00000024,00000000,6C782EC1,00000000,00000000,?,?), ref: 6C782883
                                                                                                                                                                                                          • Part of subcall function 6C782880: PORT_SetError_Util.NSSUTIL3(FFFFE013,?), ref: 6C782896
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C782EFD
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C782F17
                                                                                                                                                                                                          • Part of subcall function 6C7819A0: PORT_ZAlloc_Util.NSSUTIL3(0000000C,00000000,6C782F32,?,?,?,?,?,?,?,?,?), ref: 6C7819A3
                                                                                                                                                                                                          • Part of subcall function 6C781D00: PR_Lock.NSPR4(?,?,?,6C782F66,?,?), ref: 6C781D0C
                                                                                                                                                                                                          • Part of subcall function 6C781D00: PR_Unlock.NSPR4(?), ref: 6C781D27
                                                                                                                                                                                                          • Part of subcall function 6C783560: PR_Lock.NSPR4(?,?,?,?,?,?,6C782F73,?,?,?,?,00000000), ref: 6C783571
                                                                                                                                                                                                          • Part of subcall function 6C783560: PR_Unlock.NSPR4(?,?,?,6C782F73,?,?,?,?,00000000), ref: 6C78358C
                                                                                                                                                                                                          • Part of subcall function 6C781D40: PR_Lock.NSPR4(?,?,?,6C782FED,?,?,?,00000000,?,?,?,00000000), ref: 6C781D4C
                                                                                                                                                                                                          • Part of subcall function 6C781D40: PR_Unlock.NSPR4(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6C781D67
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?), ref: 6C78319D
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C7831AC
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000001), ref: 6C7831CA
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(?,00000000), ref: 6C7831DF
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlockUtil$Alloc_Free$Arena_Error_Item_
                                                                                                                                                                                                        • String ID: fake-password-check$global-salt$password-check
                                                                                                                                                                                                        • API String ID: 1731304325-2685589741
                                                                                                                                                                                                        • Opcode ID: 4e71f9b9ff1bb1ead3e2ce8316801e73e94013d07f61cb50ccffaaf588c7fa4c
                                                                                                                                                                                                        • Instruction ID: c7b8aa78d7ecca8f3e0fca65daa5cbfacdd1fd7cd5d80426c0a902f7fc2ccc59
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4e71f9b9ff1bb1ead3e2ce8316801e73e94013d07f61cb50ccffaaf588c7fa4c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE9139B190A7405BD700CF68CE84BABB7F9AF41798F440A39FE5587A41E734E905C7A2
                                                                                                                                                                                                        Function 6C7912F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 140memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000028), ref: 6C7912FC
                                                                                                                                                                                                        • PORT_Realloc_Util.NSSUTIL3(00000000,00000002), ref: 6C791378
                                                                                                                                                                                                        • NSSUTIL_Quote.NSSUTIL3(?,00000022), ref: 6C791407
                                                                                                                                                                                                        • PR_smprintf.NSPR4(library= name="NSS Internal PKCS #11 Module" parameters=%s NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})",00000000,slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]), ref: 6C791420
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C791429
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512], xrefs: 6C791415
                                                                                                                                                                                                        • library= name="NSS Internal PKCS #11 Module" parameters=%s NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})", xrefs: 6C79141B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Free_QuoteR_smprintfRealloc_
                                                                                                                                                                                                        • String ID: library= name="NSS Internal PKCS #11 Module" parameters=%s NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})"$slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
                                                                                                                                                                                                        • API String ID: 586391234-3487049042
                                                                                                                                                                                                        • Opcode ID: 8f01485a493fdb47589a3940e4f70104aff2554d60a07867eb3f1cae00a23d4d
                                                                                                                                                                                                        • Instruction ID: 4c980ebbe22be65a81e4327003128850069b22a30db393bc96f5f97e1ccaf969
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f01485a493fdb47589a3940e4f70104aff2554d60a07867eb3f1cae00a23d4d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3341AD72508301AFD7119F98EA05B9BB6F8EF48318F84453DF969C2721E375D6288BD2
                                                                                                                                                                                                        Function 6C794D90 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: getenv$_strdupfree
                                                                                                                                                                                                        • String ID: /_hashXXXXXX$TEMP$TMP$TMPDIR
                                                                                                                                                                                                        • API String ID: 3734450856-1198602212
                                                                                                                                                                                                        • Opcode ID: 5848aeed83200076aed2961945b09220dd6d0dee61234a670e70e90bd545141c
                                                                                                                                                                                                        • Instruction ID: 163eceea0c549f0dad44e8652ffe539a16210893462d47dcade14ecdf45e5ac0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5848aeed83200076aed2961945b09220dd6d0dee61234a670e70e90bd545141c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1317F74A082414BCF08CE38A5117EA3BB56F8631CF1CC6BDCAB95BA46DA31950BC791
                                                                                                                                                                                                        Function 6C789F00 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_LoadLibrary.NSPR4(rdb.dll,?,?,6C7832F1,?,?,key,00000302,?,?,00000000,00000000,?,6C782A0A,?,?), ref: 6C789F70
                                                                                                                                                                                                        • PR_FindSymbol.NSPR4(00000000,rdbstatus), ref: 6C789F8F
                                                                                                                                                                                                        • PR_FindSymbol.NSPR4(00000000,rdbopen), ref: 6C789F9C
                                                                                                                                                                                                        • PR_GetEnv.NSPR4(NSS_DISABLE_UNLOAD), ref: 6C78A029
                                                                                                                                                                                                        • PR_UnloadLibrary.NSPR4(00000000), ref: 6C78A037
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FindLibrarySymbol$LoadUnload
                                                                                                                                                                                                        • String ID: NSS_DISABLE_UNLOAD$rdb.dll$rdbopen$rdbstatus
                                                                                                                                                                                                        • API String ID: 3172142894-590385284
                                                                                                                                                                                                        • Opcode ID: 8f3f125b35a43f9ec9988490feedb6c0eaa2e12c84d131c7378c718e14eb3a21
                                                                                                                                                                                                        • Instruction ID: 17d68c06f1b3748a928bd0b3671d4b347956ebf927cdc994da7aef0a3f70a416
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f3f125b35a43f9ec9988490feedb6c0eaa2e12c84d131c7378c718e14eb3a21
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7331B73160B2029FDB0A9E6DDE00BAF7EB5EBE5354F10043CF651C2571D62AC856D792
                                                                                                                                                                                                        Function 6C7905F0 Relevance: 15.1, APIs: 10, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,6C78F389,?,?,6C78F389,?,?,?,?,?), ref: 6C7905FB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,6C78F389,?,?,?,?,?), ref: 6C79060E
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,6C78F389,?,?,?,?,?), ref: 6C790624
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,6C78F389,?,?,?,?,?), ref: 6C790637
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,6C78F389,?,?,?,?,?), ref: 6C790641
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Error_$Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1635372823-0
                                                                                                                                                                                                        • Opcode ID: ee64b80638830610e7fd437ab4e30a0c52fb6d999b04a3fb5005c2c14e370193
                                                                                                                                                                                                        • Instruction ID: 72c5529f18562f90b5df779be8d1d02e1ef04cd6cbd45969f57f12423280718d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee64b80638830610e7fd437ab4e30a0c52fb6d999b04a3fb5005c2c14e370193
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9C2168A6A442112AE65065A87E4DEEB3298DBD022DF480739FE19D0721F71AD71D43F3
                                                                                                                                                                                                        Function 6C78E7A0 Relevance: 15.1, APIs: 10, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,6C78F275,?,00000000,?,?,?,?,?,00000000), ref: 6C78E7AB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,6C78F275,?,00000000,?,?,?,?,?,00000000), ref: 6C78E7BE
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,?,6C78F275,?,00000000,?,?,?,?,?,00000000), ref: 6C78E7D4
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,6C78F275,?,00000000,?,?,?,?,?,00000000), ref: 6C78E7E7
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,6C78F275,?,00000000,?,?,?,?,?,00000000), ref: 6C78E7F1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Error_$Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1635372823-0
                                                                                                                                                                                                        • Opcode ID: a894f378bcb94746d70a37f2cacd79fd44cde74f25f04a0ef1c61ec0318e76f5
                                                                                                                                                                                                        • Instruction ID: 55d8141f7fad129c00f3cfa22858d6b6bf4e2434fad15d4da665c04584d3769a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a894f378bcb94746d70a37f2cacd79fd44cde74f25f04a0ef1c61ec0318e76f5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 182149AAA4421126E65025A57E4DFEF3298DBC022DF880B39FE19D0721F329D71D42F3
                                                                                                                                                                                                        Function 6C78E570 Relevance: 15.1, APIs: 10, Instructions: 102COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,-00000004,?,?,6C7900CC,?,?,-00000004,?,?,?,?,00000000,00000000), ref: 6C78E57B
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,-00000004,?,?,6C7900CC,?,?,-00000004,?,?,?,?,00000000,00000000,?,00000000), ref: 6C78E58E
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,-00000004,?,?,6C7900CC,?,?,-00000004,?,?,?,?,00000000,00000000,?,00000000), ref: 6C78E5A4
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,-00000004,?,?,6C7900CC,?,?,-00000004,?,?,?,?,00000000,00000000,?), ref: 6C78E5B7
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,-00000004,?,?,6C7900CC,?,?,-00000004,?,?,?,?,00000000), ref: 6C78E5C1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Error_$Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1635372823-0
                                                                                                                                                                                                        • Opcode ID: eb830f2e95276a8eab2ccd78298171770197ffdca7bf31b81ea5c1faadbd2065
                                                                                                                                                                                                        • Instruction ID: 550c050512664bb170d15d01d59b2329fe9bf15f840239cc64a1f9f5e04994d9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb830f2e95276a8eab2ccd78298171770197ffdca7bf31b81ea5c1faadbd2065
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE2128A6A442112AE25075A47E49EEB329CCB90169F880635FE19D0B61F719D71E03F3
                                                                                                                                                                                                        Function 6C78E8C0 Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,6C78F389,?,00000000,?,?,6C790BAD,?,?,6C78F389,?,?,6C78F389), ref: 6C78E8CB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?,6C790BAD,?,?,6C78F389,?,?,6C78F389), ref: 6C78E8DE
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,?,6C790BAD,?,?,6C78F389,?,?,6C78F389), ref: 6C78E8F4
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,00000000,?,?,6C790BAD,?,?,6C78F389,?,?,6C78F389), ref: 6C78E907
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,?,6C790BAD,?,?,6C78F389,?,?,6C78F389), ref: 6C78E911
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Error_$Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1635372823-0
                                                                                                                                                                                                        • Opcode ID: 2511d23438634f79d2fd2f353b0ef8f6c67e17c8d751a3f6e52d74a9bf2419a4
                                                                                                                                                                                                        • Instruction ID: 4eca41097198ffcf89431fea7c1a5222de14551150ba5fe43878a790eff1ac07
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2511d23438634f79d2fd2f353b0ef8f6c67e17c8d751a3f6e52d74a9bf2419a4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F72148A6A441112AE19021A57D49FEB3658CB8023DF980736FE29D0760F72EE71E43F3
                                                                                                                                                                                                        Function 6C803BE0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C803C40
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,00000048,%s-shm,00000000,00000000,00000000,?,?), ref: 6C803C5C
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,?,?,?,?,?,?,?,?), ref: 6C803D01
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,?,00000000), ref: 6C803D57
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,00000000,?,00000000), ref: 6C803D5E
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,?), ref: 6C803ED7
                                                                                                                                                                                                          • Part of subcall function 6C7A49E0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C7A4A09
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free$Unothrow_t@std@@@__ehfuncinfo$??2@memsetsqlite3_snprintf
                                                                                                                                                                                                        • String ID: %s-shm$winOpenShm
                                                                                                                                                                                                        • API String ID: 120432133-828534212
                                                                                                                                                                                                        • Opcode ID: 64c44f41776905916479f986a4f785196cf720d6facbfcc6a954d01ac4002687
                                                                                                                                                                                                        • Instruction ID: 833edf3a8992a0d01031d07aecd05def2d9637c174db2338d4ec022537df1b77
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64c44f41776905916479f986a4f785196cf720d6facbfcc6a954d01ac4002687
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6910471B40201AFEB309F649E4AF9637E8AF05309F140974FE49DBA82E775E814C791
                                                                                                                                                                                                        Function 6C7A7EA0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C7BF2F0: memset.MSVCR120 ref: 6C7BF31A
                                                                                                                                                                                                          • Part of subcall function 6C7BF2F0: sqlite3_snprintf.SQLITE3(000000E6,?,6C80CAC0,00000000,?,00000000), ref: 6C7BF33B
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000), ref: 6C7A7F6D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • winOpen, xrefs: 6C7A80F3
                                                                                                                                                                                                        • delayed %dms for lock/sharing conflict, xrefs: 6C7A80D3
                                                                                                                                                                                                        • cannot open file at line %d of [%.10s], xrefs: 6C7A814F
                                                                                                                                                                                                        • cd0b37c52658bfdf992b1e3dc467bae1835a94ae, xrefs: 6C7A8145
                                                                                                                                                                                                        • psow, xrefs: 6C7A8192
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memsetsqlite3_freesqlite3_snprintf
                                                                                                                                                                                                        • String ID: cannot open file at line %d of [%.10s]$cd0b37c52658bfdf992b1e3dc467bae1835a94ae$delayed %dms for lock/sharing conflict$psow$winOpen
                                                                                                                                                                                                        • API String ID: 2311472976-2754320314
                                                                                                                                                                                                        • Opcode ID: 7144ba81892bf8f08a4d57466931213236fe1822ee5b366ee556a55ae77db594
                                                                                                                                                                                                        • Instruction ID: d0e846e4bed63d609a8c09df4ac91705547639b0679ae4666f0a6fc88346f919
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7144ba81892bf8f08a4d57466931213236fe1822ee5b366ee556a55ae77db594
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5791C171A043419FD720DF69CA49B4BB7F4AB49318F040B3EF85493A80E774E546CB92
                                                                                                                                                                                                        Function 6C782A70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3 ref: 6C782AA6
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Arena_Util
                                                                                                                                                                                                        • String ID: password-check
                                                                                                                                                                                                        • API String ID: 702427320-2616774086
                                                                                                                                                                                                        • Opcode ID: cac3a073df4d71716080e6ca606fdc8c6efa4e3329a26c86d7c3c69d5aeaac9f
                                                                                                                                                                                                        • Instruction ID: e3b65851c3389eca30cd4a6203d719f8dc8fa567833d8ab2e3858ac3b8fca6a2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cac3a073df4d71716080e6ca606fdc8c6efa4e3329a26c86d7c3c69d5aeaac9f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D31277280620627D6109E549E49E9B76DCAF406ADF440739FE68A6751F735CA0883E2
                                                                                                                                                                                                        Function 6C781BB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000008,?,?,?,00000000,?,6C7834A6,?,?,?,?,?,00000000,6C783058,?,?), ref: 6C781BB7
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C781C00
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C781C11
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,00000000,?,00000001), ref: 6C781C17
                                                                                                                                                                                                        • memcpy.MSVCR120(00000003,00000000,00000000,?,00000001), ref: 6C781C46
                                                                                                                                                                                                        • memcpy.MSVCR120(-00000003,6C797360,?,00000003,00000000,00000000,?,00000001), ref: 6C781C59
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,?,-00000003,6C797360,?,00000003,00000000,00000000,?,00000001), ref: 6C781C73
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$memcpy$Alloc_Free_
                                                                                                                                                                                                        • String ID: `syl
                                                                                                                                                                                                        • API String ID: 536192182-4130083290
                                                                                                                                                                                                        • Opcode ID: c6d07cab4e84edb340a00cc34485ef90600be674fa74c0d9df93cbe39c46f627
                                                                                                                                                                                                        • Instruction ID: 19ca47a77f93071fab1bf0025ed3eb2660a437dff3688fa5042c8f7d56bfaec6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c6d07cab4e84edb340a00cc34485ef90600be674fa74c0d9df93cbe39c46f627
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 512124B26093457FCB05CFA4ED49996BBB4FF41218B088639E951C7B01E721E66CC7E1
                                                                                                                                                                                                        Function 6C745A00 Relevance: 13.9, APIs: 9, Instructions: 446memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_CompareItem_Util.NSSUTIL3(?,?), ref: 6C745B04
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6C745E7E
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00A), ref: 6C745ED3
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C745F7A
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C745F97
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C745FB4
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C745FD1
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C745FEE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Item_memset$AllocCompare
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2407257861-0
                                                                                                                                                                                                        • Opcode ID: 1a88137306e9843777e9948e81bd9f02195a7d1203ffe3a98c0925baeef9df96
                                                                                                                                                                                                        • Instruction ID: 268855c529c20cd43036b39045874fff970beb01789f5aa1420969adfbd25df9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a88137306e9843777e9948e81bd9f02195a7d1203ffe3a98c0925baeef9df96
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68E184728057159BD720DEA1EB48FDBB7DCAB44214F188A3AE968D7A00E735D50C87E3
                                                                                                                                                                                                        Function 6C737310 Relevance: 13.9, APIs: 9, Instructions: 418memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003,?,?,00000000,?), ref: 6C7373A9
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?), ref: 6C737402
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?), ref: 6C737432
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000000), ref: 6C7375CE
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6C73765C
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6C737768
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?), ref: 6C737800
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,?), ref: 6C737818
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?), ref: 6C737830
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3186423673-0
                                                                                                                                                                                                        • Opcode ID: 9b6da5dc307c969dbf2367b01092358c2c8f9a847d77c42cfcef669679a71ee5
                                                                                                                                                                                                        • Instruction ID: 7b235c0704843efca73182db73288d1e9831870565735ef8d5443702c691073a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b6da5dc307c969dbf2367b01092358c2c8f9a847d77c42cfcef669679a71ee5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1D1C2B38047149BC700DAA4CF48ACBB3EDABC4224F14093AEE59C7711FB75D24997A2
                                                                                                                                                                                                        Function 6C735FD0 Relevance: 13.8, APIs: 9, Instructions: 254memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000000), ref: 6C736183
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,?), ref: 6C7361B6
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7361CA
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000000,?,00000000,?), ref: 6C7361DB
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?), ref: 6C7361F2
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(?,00000000), ref: 6C736240
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C736275
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(?,?), ref: 6C736288
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C7362AA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$memset$Error_Free_memcpy$AllocAlloc_Item_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3904356330-0
                                                                                                                                                                                                        • Opcode ID: 7c76988f8c88d866d0b6d29f0be76c00a8002558e03a1621ad60cd6a505c171c
                                                                                                                                                                                                        • Instruction ID: 60e1c6ea64cb52dea5e07eadb6691c76f8e105bcdc1a72f46f959c3958fbd275
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c76988f8c88d866d0b6d29f0be76c00a8002558e03a1621ad60cd6a505c171c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F771C5719043156BD700DAE58E8CECB7BECAF84218F048539FA68C6612EB75D60C9793
                                                                                                                                                                                                        Function 6C7D6DF3 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 231COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memset
                                                                                                                                                                                                        • String ID: CREATE TABLE %Q.sqlite_sequence(name,seq)$Pgy$TABLE$UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$sqlite_master$sqlite_temp_master$table$tbl_name='%q'
                                                                                                                                                                                                        • API String ID: 2221118986-537395371
                                                                                                                                                                                                        • Opcode ID: 5670e3e49b4f2445477752d07cc71eb8dcce4781002b0daee65ef3bb074b8e31
                                                                                                                                                                                                        • Instruction ID: 997d50658de235d90c86136e4f4ed6e540db1196c7a7b9d067d97d158174643b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5670e3e49b4f2445477752d07cc71eb8dcce4781002b0daee65ef3bb074b8e31
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE91CEB0508341AFD711CF24CE84B5BBBE8BF89308F04492DF99986B52E372E558CB52
                                                                                                                                                                                                        Function 6C7300D0 Relevance: 13.7, APIs: 9, Instructions: 210memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C73010C
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C730149
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,?), ref: 6C730169
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6C730316
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3190935853-0
                                                                                                                                                                                                        • Opcode ID: 17acc3f4d145731fdd609cd93ef2fe8fe601fd49de595d94d67fae8581c3a72b
                                                                                                                                                                                                        • Instruction ID: fff2e0442e4a75fab4319c7af92ced65a666e9dae22ebae41f4f3cd2a9f1f81b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17acc3f4d145731fdd609cd93ef2fe8fe601fd49de595d94d67fae8581c3a72b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A7121725083959FC700CF68C94468ABBE0EB89328F444A6DF89CC7742E731D519CBA6
                                                                                                                                                                                                        Function 6C78C930 Relevance: 13.6, APIs: 9, Instructions: 145memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,00000000,?,?,?,6C78F366,?,?,?,00000800), ref: 6C78C9AC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C78C9C2
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,00000000), ref: 6C78C9DC
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?), ref: 6C78C9EF
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,?), ref: 6C78CA0E
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,CE534351), ref: 6C78CA21
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,CE534351), ref: 6C78CA45
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012,?,?,?,6C78F366,?,?,?,00000800), ref: 6C78CA64
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?), ref: 6C78CA90
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Arena$memcpy$Error_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2975568879-0
                                                                                                                                                                                                        • Opcode ID: 10cc5caad8a75aeabf1d4e6113448075730cbe1859a2dcf3df35512dc428d861
                                                                                                                                                                                                        • Instruction ID: 50d57613ad0e85bd70ca3b20632250a4d72a7d083fe62d3c1723316bc6052de1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10cc5caad8a75aeabf1d4e6113448075730cbe1859a2dcf3df35512dc428d861
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8051F3716016019FDB28CF29DA54862BBE1BF80215318877DE9AAC6F11D335F519CB91
                                                                                                                                                                                                        Function 6C781A00 Relevance: 13.6, APIs: 9, Instructions: 100memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,00000000,6C783004,?,00000002,?,?,?,?,?,?,?,00000000), ref: 6C781A1C
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000024,00000002,?,?,?,?,?,?,?,00000000), ref: 6C781A31
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,?,?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 6C781A5C
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,?), ref: 6C781A90
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?,?,?,?,?,?,00000002), ref: 6C781AAA
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000002,?), ref: 6C781AC7
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000000,?,00000002,?), ref: 6C781ADA
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002), ref: 6C781AF1
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000002,?,?,?,?,?,?,?,00000000), ref: 6C781B03
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Arena$memcpy$Arena_$Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1150899496-0
                                                                                                                                                                                                        • Opcode ID: 716761afd54a4f50325a53c6e2d4251de0608f577b8ae6f9d8067e0c4a001686
                                                                                                                                                                                                        • Instruction ID: aa3c702315996085d8e7a9e44e8a7e8a41fb53deb9fdacec30a50a29892c8b3a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 716761afd54a4f50325a53c6e2d4251de0608f577b8ae6f9d8067e0c4a001686
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2431E4B15013015BD7218F65DD98B27BBE8EF40249F040A3EE9A5C6B61F725E608CBE1
                                                                                                                                                                                                        Function 6C738990 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 296memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE08D), ref: 6C7389C5
                                                                                                                                                                                                        • SECOID_FindOIDTag_Util.NSSUTIL3(00000000,00000000), ref: 6C7389F4
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3 ref: 6C738A32
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?,?), ref: 6C738A4E
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE08D), ref: 6C738C63
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_ArenaFindTag_memcpy
                                                                                                                                                                                                        • String ID: 9
                                                                                                                                                                                                        • API String ID: 2675619250-2366072709
                                                                                                                                                                                                        • Opcode ID: 97251d1b55e0f62a7c515639c48885cd076a288fc2644722abf5c5ff58b28aec
                                                                                                                                                                                                        • Instruction ID: 8785d919fa28d43f1833c16283f14cb4dae10898253a3ab3701f2154bb0efeba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97251d1b55e0f62a7c515639c48885cd076a288fc2644722abf5c5ff58b28aec
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B81F9203CB370F5F536650A4F6FF872D9A9B83FA6E499197734CAE9C2C1F1448485A2
                                                                                                                                                                                                        Function 6C7ABDF0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 231COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_value_bytes.SQLITE3(?), ref: 6C7ABE7E
                                                                                                                                                                                                        • sqlite3_value_bytes.SQLITE3(?), ref: 6C7ABEA4
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?), ref: 6C7ABFBA
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,?), ref: 6C7ABFEF
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,?), ref: 6C7AC009
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?), ref: 6C7AC02D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpysqlite3_freesqlite3_value_bytes
                                                                                                                                                                                                        • String ID: string or blob too big
                                                                                                                                                                                                        • API String ID: 2173435994-2803948771
                                                                                                                                                                                                        • Opcode ID: e2d9e5f629469b3d88ae7fbf0cc42e0694c52bd382ebfa0ba83ebfd16d9e0920
                                                                                                                                                                                                        • Instruction ID: 0daa74249c8d0f5548bbb27c8adf4f7ed3c15a152185705e1d945ecf366bdb13
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2d9e5f629469b3d88ae7fbf0cc42e0694c52bd382ebfa0ba83ebfd16d9e0920
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2717C329093455FC7009FA9CE8479BBBE4AF4931CF080B78F89857B51D321E956CB92
                                                                                                                                                                                                        Function 6C73A500 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 222COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?), ref: 6C73A5B4
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C73A703
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?), ref: 6C73A753
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?), ref: 6C73A765
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,?), ref: 6C73A777
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?), ref: 6C73A789
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID: ggen
                                                                                                                                                                                                        • API String ID: 1468616262-2024611518
                                                                                                                                                                                                        • Opcode ID: 5f18944ce0f2f3e6a2f6fc84f36c1d494d2d60a05355fc5546d48b52a1154b95
                                                                                                                                                                                                        • Instruction ID: 86a7a662f2724b8e189dc6fca400a0ee87ff8d2930839d860ebf5d1f80a8c18d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f18944ce0f2f3e6a2f6fc84f36c1d494d2d60a05355fc5546d48b52a1154b95
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C97107729053219BC710DAF88E45F8BB7E8AB48734F040629FA6DC3691D774E94887D3
                                                                                                                                                                                                        Function 6C745370 Relevance: 12.5, APIs: 8, Instructions: 470memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C7459EA
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C74597E
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6C7456D5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C745999
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C7459B4
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C7459CF
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$memset$AllocItem_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2790809200-0
                                                                                                                                                                                                        • Opcode ID: e4ff304045f4dbea2e7d46826eae3e1d51391d4ee765a1e2099d63bae504907f
                                                                                                                                                                                                        • Instruction ID: d2afa23e00e9dfc7302a854cd4bebec3cc0250b59fd94d14e9d2dccac12dfa6c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e4ff304045f4dbea2e7d46826eae3e1d51391d4ee765a1e2099d63bae504907f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFF1C6716043059BE750CEA1DA88BCFB7ECEF44218F04893AEA58C2651EB79D54CDB92
                                                                                                                                                                                                        Function 6C7BC930 Relevance: 12.5, APIs: 7, Strings: 1, Instructions: 457COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7BC9CF
                                                                                                                                                                                                          • Part of subcall function 6C7F0AD0: memset.MSVCR120 ref: 6C7F0AF2
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7BCAB4
                                                                                                                                                                                                        • memcpy.MSVCR120(0000002C,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C7DB98A), ref: 6C7BCAEC
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7BCB1E
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7BCC85
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7BCCBD
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7BCD1C
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memset$memcpy
                                                                                                                                                                                                        • String ID: Expression tree is too large (maximum depth %d)
                                                                                                                                                                                                        • API String ID: 368790112-1961352115
                                                                                                                                                                                                        • Opcode ID: 4fcfc3cf18712fde119dd157ff88da202336606c80246ac474ced5e1641a6b08
                                                                                                                                                                                                        • Instruction ID: 3bfb49e7740bcb41ce25f2725089b999c0b977e5767c866e0f1ec478d6b4e8b4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4fcfc3cf18712fde119dd157ff88da202336606c80246ac474ced5e1641a6b08
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2802EF706047419FD310DF28CA80B1BBBE4BF84719F118A6DF898AB791E775E904CB92
                                                                                                                                                                                                        Function 6C7A54E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • misuse at line %d of [%.10s], xrefs: 6C7A5952
                                                                                                                                                                                                        • cd0b37c52658bfdf992b1e3dc467bae1835a94ae, xrefs: 6C7A5948
                                                                                                                                                                                                        • API call with %s database connection pointer, xrefs: 6C7A593C
                                                                                                                                                                                                        • invalid, xrefs: 6C7A5937
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: API call with %s database connection pointer$cd0b37c52658bfdf992b1e3dc467bae1835a94ae$invalid$misuse at line %d of [%.10s]
                                                                                                                                                                                                        • API String ID: 0-3533157927
                                                                                                                                                                                                        • Opcode ID: 8381e3b8b52d7933388bac7e411b4b01110d7eee5d30b035b7cf014392051f32
                                                                                                                                                                                                        • Instruction ID: 2b2da0f9b9fa935e6e8c1281de5affe0e66aa3df32d24f3557820e2784c86531
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8381e3b8b52d7933388bac7e411b4b01110d7eee5d30b035b7cf014392051f32
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 465159B1A057016BE790CFA5EE84B5B7BE8AF4135CF540638F8559BB41E330E40ACB92
                                                                                                                                                                                                        Function 6C7A1B40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 144COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000080,?,cannot DETACH database within transaction), ref: 6C7A1C2B
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000080,?,database %s is locked,00000000), ref: 6C7A1C73
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000001), ref: 6C7A1CCC
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • cannot detach database %s, xrefs: 6C7A1C0F
                                                                                                                                                                                                        • cannot DETACH database within transaction, xrefs: 6C7A1C1C
                                                                                                                                                                                                        • database %s is locked, xrefs: 6C7A1C64
                                                                                                                                                                                                        • no such database: %s, xrefs: 6C7A1C02
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_snprintf$memcpy
                                                                                                                                                                                                        • String ID: cannot DETACH database within transaction$cannot detach database %s$database %s is locked$no such database: %s
                                                                                                                                                                                                        • API String ID: 3845099228-3374617522
                                                                                                                                                                                                        • Opcode ID: f2f5e35d3856142af70107d0f1030ff1cc8aaa8aa8acc73610f534e929e0020c
                                                                                                                                                                                                        • Instruction ID: c3b61f52b747bb977dd40df849abca631724837d3ae3332d17dfe8acb0c46d5d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2f5e35d3856142af70107d0f1030ff1cc8aaa8aa8acc73610f534e929e0020c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24512771608385DFE310CFA5CB84B56BBE5BB45348F150A69E8D45BA12E335E40BCBA2
                                                                                                                                                                                                        Function 6C7962E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _errno$_getpid_openisdigit
                                                                                                                                                                                                        • String ID: _hashXXXXXX
                                                                                                                                                                                                        • API String ID: 3154219905-1410515
                                                                                                                                                                                                        • Opcode ID: 57b1f3c5f51daabb70102a1aec7fbdae7e8eac79e64d42ae882eb83a793b76e1
                                                                                                                                                                                                        • Instruction ID: 6b027b9924b975e891af5d1ffde1c34daa9b30f41a25ea05fcc31836517e5b5b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 57b1f3c5f51daabb70102a1aec7fbdae7e8eac79e64d42ae882eb83a793b76e1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B4145316082809FE751CF2CEA4176BBBE4EF46344F98067DE9D4C3A41E7249A46C7D2
                                                                                                                                                                                                        Function 6C737850 Relevance: 12.4, APIs: 8, Instructions: 381memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,?), ref: 6C7378FA
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00A), ref: 6C737B96
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C737C10
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000), ref: 6C737C82
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C737CA2
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C737CBD
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C737CD8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C737CF3
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Item_memset$AllocFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1611848778-0
                                                                                                                                                                                                        • Opcode ID: 2598aa2ae442f08f7123026680695c1355b37be7916b4f1211b8efc763287430
                                                                                                                                                                                                        • Instruction ID: 837c3f056bba06e6e212e720584af4158a220135d43ba07b9dc7de5d271e9481
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2598aa2ae442f08f7123026680695c1355b37be7916b4f1211b8efc763287430
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6CC1B072C093249BD710DAA4DF48ACB73DCAB84224F050A3AFE58C3611E739D54D97E2
                                                                                                                                                                                                        Function 6C782510 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,6C781EA5,00000000), ref: 6C782573
                                                                                                                                                                                                        • SECOID_FindOIDTag_Util.NSSUTIL3(?,?,?,?,?,00000000,?), ref: 6C7825D0
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C782625
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(00000000,00000001,?,?,?,?,?,?,?,?,00000000,?), ref: 6C78263E
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(?,00000000,?,?,?,?,00000000,?), ref: 6C78264F
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6C781EA5,00000000,?), ref: 6C782667
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free$Item_memcpy$Arena_FindTag_
                                                                                                                                                                                                        • String ID: psyl
                                                                                                                                                                                                        • API String ID: 1147203595-2788509253
                                                                                                                                                                                                        • Opcode ID: 5080a98b77f7ff59c3070245023a1d43ed99d5fbd12de3775a80cd2fd0195306
                                                                                                                                                                                                        • Instruction ID: b4284c7a82c38e3a8ea0a6f0f91de55fdd26acdbb94865e7cb03b02a288684af
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5080a98b77f7ff59c3070245023a1d43ed99d5fbd12de3775a80cd2fd0195306
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E418EB1505300AFD700CF54C988B9BB7E8FB44318F444A29F9A9C7A51E775EA498B91
                                                                                                                                                                                                        Function 6C783560 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?,?,?,?,6C782F73,?,?,?,?,00000000), ref: 6C783571
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,6C782F73,?,?,?,?,00000000), ref: 6C78358C
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C783650
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C78366B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID: Server-Key$global-salt$password-check
                                                                                                                                                                                                        • API String ID: 4018760208-3297152771
                                                                                                                                                                                                        • Opcode ID: db3b8a64e9e31454f8c64dde35c02ff770b1383892ff7f033a6af36ba6e58bb1
                                                                                                                                                                                                        • Instruction ID: 5c74a1c33d4d319990f2d4f9faa1ad168d236644457fc5be77846481f8846cdd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: db3b8a64e9e31454f8c64dde35c02ff770b1383892ff7f033a6af36ba6e58bb1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06312937F091408BD7008E1CC9406AAB7B5EB82728F980979EE55CBB05D332E94AC791
                                                                                                                                                                                                        Function 6C78A570 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PL_HashTableLookup.PLDS4(00000000,?,yxl,yxl,00000000,00000000,?,6C7879E8,?,?,30000000), ref: 6C78A5E5
                                                                                                                                                                                                        • SECITEM_ItemsAreEqual_Util.NSSUTIL3(00000000,?,6C7879E8,?,?,30000000), ref: 6C78A5F3
                                                                                                                                                                                                        • PL_HashTableLookup.PLDS4(00000000,?,yxl,?,?,6C7879E8,?,?,30000000), ref: 6C78A608
                                                                                                                                                                                                        • SECITEM_DupItem_Util.NSSUTIL3(?,yxl,00000000,6C7879E8,?,?,30000000), ref: 6C78A61E
                                                                                                                                                                                                        • PL_HashTableAdd.PLDS4(00000000,?,00000000,?,00000000,6C7879E8,?,?,30000000), ref: 6C78A62F
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(00000000,00000001,?,?,?,?,00000000,6C7879E8,?,?,30000000), ref: 6C78A63E
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: HashTableUtil$Item_Lookup$Equal_FreeItems
                                                                                                                                                                                                        • String ID: yxl
                                                                                                                                                                                                        • API String ID: 3494452108-3550317604
                                                                                                                                                                                                        • Opcode ID: c4427436b127961ecd633c5af575c11591faa8f890aa6f6e16ecc6e99657b5f2
                                                                                                                                                                                                        • Instruction ID: 968f77694b5093ff7ba65bab9fcdbb18c504d8767c5997bf0e648a0727ee980d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4427436b127961ecd633c5af575c11591faa8f890aa6f6e16ecc6e99657b5f2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6214CA2E0212026DA0056B55E8DEBF76DC8F5166DF080138FB25D6B41F719D60C93F2
                                                                                                                                                                                                        Function 6C789B50 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_smprintf.NSPR4(%s/%s,00000000,?,?,00000000,?,?,00000000,?,6C789862,?,?,?,?), ref: 6C789B83
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000010,?), ref: 6C789B9B
                                                                                                                                                                                                        • PR_Free.NSPR4(00000000,?,?,?,?,?,?,?,?), ref: 6C789BD9
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(?,?), ref: 6C789BE6
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C789BF5
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_FreeFree_R_smprintfR_smprintf_free
                                                                                                                                                                                                        • String ID: %s/%s$`syl
                                                                                                                                                                                                        • API String ID: 508100799-1352401246
                                                                                                                                                                                                        • Opcode ID: ac02a348a282b27a05c61e6320dd23dac631926c787b416aafa423b465a26b56
                                                                                                                                                                                                        • Instruction ID: 1a01f633ac72b8070a8ad1954b72ce3469b33f097839ac3022482c42ebefb978
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac02a348a282b27a05c61e6320dd23dac631926c787b416aafa423b465a26b56
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 601120B100A304AFD6004F559E49F4FBBFCEF95B28F100438FA5592B11E735EA188AA2
                                                                                                                                                                                                        Function 6C78F7C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,6C790DFF,?,00000000,00000000), ref: 6C78F7C9
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3 ref: 6C78F7E2
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,00000003,?,?,?,?,6C790DFF,?,00000000,00000000), ref: 6C78F7F7
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,00000000,00000009,00000000,00000003,?,?,?,?,6C790DFF,?,00000000,00000000), ref: 6C78F802
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3 ref: 6C78F81D
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,00000000,00000009,00000000,00000003,?,?,?,?,6C790DFF,?), ref: 6C78F85F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Alloc_ArenaFree$Error_
                                                                                                                                                                                                        • String ID: Version
                                                                                                                                                                                                        • API String ID: 4196567886-1889659487
                                                                                                                                                                                                        • Opcode ID: ab96b905ad220ab1331f8603cd998c763ed4f2ddff95cb2c883551b3636ef02e
                                                                                                                                                                                                        • Instruction ID: d552dc0b3367a1f3b34a1b2bb1ca40c52559abb25c8798236fad85493512c41f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab96b905ad220ab1331f8603cd998c763ed4f2ddff95cb2c883551b3636ef02e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E11CE71D062112AE301ABA8AE19ADB36E8AF40318F844739FD18A5790FB35C71C47E3
                                                                                                                                                                                                        Function 6C737D90 Relevance: 12.2, APIs: 8, Instructions: 185COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE08E), ref: 6C737DCF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00E), ref: 6C737DF1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C737F84
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 4d71476f7d71d8116d6378278eecccb8bc7caedf9671f2894db0674349582c8c
                                                                                                                                                                                                        • Instruction ID: bc48c60d6fd16ef335f883b23aa32a6eb7f68a79010f8b14922cb7d55e2a0912
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d71476f7d71d8116d6378278eecccb8bc7caedf9671f2894db0674349582c8c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E513673D4523057C60099699F8869BB788EB80238F540776FE3C82BE1E766DD4E82D3
                                                                                                                                                                                                        Function 6C730360 Relevance: 12.2, APIs: 8, Instructions: 167memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C73039B
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C7303D7
                                                                                                                                                                                                        • memcpy.MSVCR120(00000008,00000000,?), ref: 6C730407
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?), ref: 6C7304C5
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(?,?), ref: 6C7304D8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6C730525
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_memcpy$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1012188401-0
                                                                                                                                                                                                        • Opcode ID: 0d97367e8f6ff6e653eda802ed52c31f9b3bde9f4d7e9f2539bec6ef20596793
                                                                                                                                                                                                        • Instruction ID: 4ea72916b04e53f7a3d3ac3e5ccffbe037cfa06206323af84b5b6790c3c251b9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d97367e8f6ff6e653eda802ed52c31f9b3bde9f4d7e9f2539bec6ef20596793
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F519F72A053149FC700CF69D984A8AB7E8EB88329F40563EF95CC7741E731D918CB92
                                                                                                                                                                                                        Function 6C7A8B20 Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_exec.SQLITE3(?,?,6C7FDDB0,?,?), ref: 6C7A8BC8
                                                                                                                                                                                                        • sqlite3_free_table.SQLITE3(?), ref: 6C7A8BEA
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?), ref: 6C7A8C00
                                                                                                                                                                                                        • sqlite3_mprintf.SQLITE3(6C80CAC0,?,?), ref: 6C7A8C0E
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?), ref: 6C7A8C1D
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?), ref: 6C7A8C3C
                                                                                                                                                                                                        • sqlite3_free_table.SQLITE3(?), ref: 6C7A8C54
                                                                                                                                                                                                          • Part of subcall function 6C7A8CF0: sqlite3_free.SQLITE3(6C7A8CA2,?,?,?,6C7A8CA6,?), ref: 6C7A8DB8
                                                                                                                                                                                                        • sqlite3_free_table.SQLITE3(?), ref: 6C7A8CA1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free$sqlite3_free_table$sqlite3_execsqlite3_mprintf
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3972381293-0
                                                                                                                                                                                                        • Opcode ID: 60d8e65685b7671f7b31e02c1e7533c7f31d8adffd9be3ea263cd54f4e59ca19
                                                                                                                                                                                                        • Instruction ID: f8b8b64d3ba108df20b654a5190b60736cae47ca2b7abfa1d0bac7e7e4e9d1c5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60d8e65685b7671f7b31e02c1e7533c7f31d8adffd9be3ea263cd54f4e59ca19
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B151B0B1505381ABE700DF99DA4474BB7E0FF84318F440979F85497711E736E91ACB92
                                                                                                                                                                                                        Function 6C7900F0 Relevance: 12.1, APIs: 8, Instructions: 144memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C790189
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000000), ref: 6C7901B0
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,00000000,?,00000000,00000000), ref: 6C7901BF
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C7901ED
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C79020E
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000000), ref: 6C790225
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,00000000,?,00000000,00000000), ref: 6C790236
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C790266
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Utilmemcpy$Free_$Alloc_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2416087840-0
                                                                                                                                                                                                        • Opcode ID: 99456ccb91e35ad1274d79d2047ad7a54a99c4837cc2fca054428639704efc32
                                                                                                                                                                                                        • Instruction ID: 33fcf29103010845c8adaca200a4d1756205faf528bb42764736458d814156a3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99456ccb91e35ad1274d79d2047ad7a54a99c4837cc2fca054428639704efc32
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2341D271654346ABDB10DF64EA88A9FB7F8BF48348F000639E955C7A01E734EA58C7D2
                                                                                                                                                                                                        Function 6C72C290 Relevance: 12.1, APIs: 8, Instructions: 109COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(6C76E3F0,?,?,?,6C72114B,?,00000000,?,00000014), ref: 6C72C29A
                                                                                                                                                                                                        • PR_Unlock.NSPR4(6C76E3F0), ref: 6C72C2D3
                                                                                                                                                                                                        • PR_Unlock.NSPR4(6C76E3F0,?,?,?,?,?,00000014), ref: 6C72C2FE
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,00000014), ref: 6C72C32B
                                                                                                                                                                                                        • PR_Unlock.NSPR4(6C76E3F0,?,?,?,00000014), ref: 6C72C33D
                                                                                                                                                                                                          • Part of subcall function 6C72BF00: PORT_Alloc_Util.NSSUTIL3(00000020,?,6C76E3F0), ref: 6C72BF12
                                                                                                                                                                                                          • Part of subcall function 6C72BF00: PORT_SetError_Util.NSSUTIL3(FFFFE013,6C76E3F0,?,?,?,?,?,?,?,?,?,?,?,?,?,6C72C376), ref: 6C72BF25
                                                                                                                                                                                                          • Part of subcall function 6C72BF00: PORT_GetError_Util.NSSUTIL3(?,?,?,?,?,?,?,?,6C76E3F0), ref: 6C72BF2D
                                                                                                                                                                                                          • Part of subcall function 6C72BF00: PORT_Alloc_Util.NSSUTIL3(00000050,?,?,?,?,?,?,?,?,6C76E3F0), ref: 6C72BF3F
                                                                                                                                                                                                          • Part of subcall function 6C72BF00: PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,?,6C76E3F0), ref: 6C72C1A0
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_Unlock$Alloc_$Lockmemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 649938340-0
                                                                                                                                                                                                        • Opcode ID: f847335b9e13e8cffd9816430f90dbbf5f1ef82e657351d227b2a04f8a87787b
                                                                                                                                                                                                        • Instruction ID: 46f76763aac6cbbaecb7cacfa5ab5abfe6a214f27655f746bb46d50f30927503
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f847335b9e13e8cffd9816430f90dbbf5f1ef82e657351d227b2a04f8a87787b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB310BB27013045BFB106FA9DDCCB877BA4EB51369F140839F65593342E735A928CBA2
                                                                                                                                                                                                        Function 6C7881C0 Relevance: 12.1, APIs: 8, Instructions: 105memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7881CB
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000000B0,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7881E3
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?), ref: 6C788206
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 6C788226
                                                                                                                                                                                                        • PR_htonl.NSPR4(?), ref: 6C7882B9
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,0000006C), ref: 6C7882DD
                                                                                                                                                                                                        • DER_SetUInteger.NSSUTIL3(00000000,0000000C,00000000,?,?,?,?), ref: 6C7882F0
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C788308
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_ArenaArena_$CopyFreeIntegerItem_R_htonlmemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1359383034-0
                                                                                                                                                                                                        • Opcode ID: 7681a6677cb62be291dfedb00add4eef975e09560305ff83d17f7018c2c63cae
                                                                                                                                                                                                        • Instruction ID: 6c4cc0909f78ded2654ee5d70beb82b159adb17d0cb50c2b4855e1b3d0f1baf0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7681a6677cb62be291dfedb00add4eef975e09560305ff83d17f7018c2c63cae
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C31B1B54003019FE7108F55DA45B9BB7F8EF44708F04092EEEA596B10E376E508CBA1
                                                                                                                                                                                                        Function 6C738810 Relevance: 12.1, APIs: 8, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C73883C
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C738867
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C738880
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C738895
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C7388AA
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C7388BF
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C7388D4
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,?,?), ref: 6C7388EF
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CopyItem_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1930918740-0
                                                                                                                                                                                                        • Opcode ID: 8a3fbd5e7690d6ffe3d3312ac2481a647deff6da570935fd16a6e1412c624f50
                                                                                                                                                                                                        • Instruction ID: d9cc6846e7e2986225a2311abc3023fdbde83c6c64505151e1e464c893adbd65
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a3fbd5e7690d6ffe3d3312ac2481a647deff6da570935fd16a6e1412c624f50
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1631C7B2500B15ABD311DA66CE80ED7B7ECFE082187445A2BE95AC2E01F735F528CB91
                                                                                                                                                                                                        Function 6C78E410 Relevance: 12.1, APIs: 8, Instructions: 104memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4 ref: 6C78E450
                                                                                                                                                                                                        • PR_Unlock.NSPR4(00000000), ref: 6C78E477
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(000008F8), ref: 6C78E489
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C78E49C
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000001), ref: 6C78E4CC
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000000), ref: 6C78E4EC
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C78E52D
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C78E542
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Free_$Error_LockUnlockmemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3484337688-0
                                                                                                                                                                                                        • Opcode ID: ec8c2f562c68b82db2983a613864836627ae7982146820f5785aef13b1198e9f
                                                                                                                                                                                                        • Instruction ID: f6d4547d2da6d80f494e862c0ff39befda516591a679aa28b8cbefdbf86d59e5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec8c2f562c68b82db2983a613864836627ae7982146820f5785aef13b1198e9f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 383135B5906305AFEB208F64DD48B9F77F8AB95318F000639F96882740F735D6098BC2
                                                                                                                                                                                                        Function 6C78DE20 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,?,6C78C09D,?,?,?,00000000,00000000,?,00000000,?,?), ref: 6C78DE29
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000008F8,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6C78DE41
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000000,?,?,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6C78DE8B
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000008,00000000,?,?,?,?,00000000,00000000,?,00000000,?,?), ref: 6C78DEA7
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,?,?), ref: 6C78DED2
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000), ref: 6C78DEE4
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6C78DF04
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6C78DF11
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Arena$Arena_memcpy$Error_Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1759514691-0
                                                                                                                                                                                                        • Opcode ID: c9abc72300a6895434125498b73472c9d915be143787275a4fbb98461f1092f2
                                                                                                                                                                                                        • Instruction ID: 3c361273aa7072f96be9b7deae1bdb86e1e960fb72ea08380fa8b209ca56e595
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9abc72300a6895434125498b73472c9d915be143787275a4fbb98461f1092f2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C313871A023019BD7108F54ED84A67B7E4EF54319F14457EE959CBB00E733EA09CBA1
                                                                                                                                                                                                        Function 6C74E800 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _strdup$calloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4283692972-0
                                                                                                                                                                                                        • Opcode ID: d17017c9cf221375a3028cfef9c63ecf8b30e72b85eed8ed1126d6436a574ceb
                                                                                                                                                                                                        • Instruction ID: 5357c4b68f14cc68458d7b77741e04850b1728bf0f0226b07ff469610d5489ec
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d17017c9cf221375a3028cfef9c63ecf8b30e72b85eed8ed1126d6436a574ceb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA21FBB0B01B065BEF10CF7A9940A57B3ECEF016657109938EC96C7A40EB28F559C7E1
                                                                                                                                                                                                        Function 6C789D50 Relevance: 12.1, APIs: 8, Instructions: 87memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000050,?,?,00000000,6C789900,?,?,00000000,?), ref: 6C789D5F
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000010,?), ref: 6C789D73
                                                                                                                                                                                                        • PR_NewLock.NSPR4(?,?), ref: 6C789D92
                                                                                                                                                                                                        • PL_NewHashTable.PLDS4(00000040,6C789B40,6C789A90,6C79654A,00000000,00000000,?,?), ref: 6C789DB8
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?), ref: 6C789E54
                                                                                                                                                                                                        • PR_DestroyLock.NSPR4(?,?,?,?), ref: 6C789E68
                                                                                                                                                                                                        • PL_HashTableDestroy.PLDS4(?,?,?,?), ref: 6C789E79
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?), ref: 6C789E82
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_DestroyFree_HashLockTable
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3202356090-0
                                                                                                                                                                                                        • Opcode ID: 6db7cf4890545f77a3ed1f56597d5e6ca3f9744e10e2b584af65a0687f83df8c
                                                                                                                                                                                                        • Instruction ID: c8f2099c1b36de8e1c4e46be14e3dabcab852b5a1dd20ab6e69746ba61dfbc1c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6db7cf4890545f77a3ed1f56597d5e6ca3f9744e10e2b584af65a0687f83df8c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16316EB2502B019BD3208F65DA46707BBF4BF90654F10493DD6AA9BF60D775E204CBD2
                                                                                                                                                                                                        Function 6C78DF20 Relevance: 12.1, APIs: 8, Instructions: 87memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,00000000,-00000004,?,6C78F9CE,?,6C78F1EE,-00000004,00000000,6C78F1EE,?,-00000004,00000000,?), ref: 6C78DF2A
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000020,00000000,?,?,00000000), ref: 6C78DF3F
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,?,00000000), ref: 6C78DF70
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,?,?,?,?,?,00000000,?,?,00000000), ref: 6C78DFA2
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 6C78DFB7
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000008,00000000,?,?,?,?,00000000,?,?,00000000), ref: 6C78DFD7
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000000,?,?,00000000), ref: 6C78DFEA
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?,00000000), ref: 6C78DFF7
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Arena$Arena_memcpy$Error_Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1759514691-0
                                                                                                                                                                                                        • Opcode ID: ec8bac6300f21d9011556975ac0a3a3e473909353df23f3caccd6a360936df9c
                                                                                                                                                                                                        • Instruction ID: 0440a0b8130dd6668511f65c750a8c7369c0f703408ab4bca2d3571d9c11cfef
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec8bac6300f21d9011556975ac0a3a3e473909353df23f3caccd6a360936df9c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D72137729013026BD7108F50ED44AAABBE4EF95318F104A3EF95686B10E732E61C9BA1
                                                                                                                                                                                                        Function 6C7821C0 Relevance: 12.1, APIs: 8, Instructions: 75COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,6C782AD5), ref: 6C7821D8
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,?,6C7972C8,?,00000000), ref: 6C7821FC
                                                                                                                                                                                                        • SECOID_GetAlgorithmTag_Util.NSSUTIL3(?,?,?,?,?,00000000), ref: 6C78220D
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,?,6C797288,?,?,?,?,?,?,00000000), ref: 6C782228
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78223C
                                                                                                                                                                                                        • SECITEM_DupItem_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78224D
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,?,?,?,00000000), ref: 6C782263
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,00000000), ref: 6C782275
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Item_$Arena_DecodeQuick$AlgorithmCopyFreeFree_Tag_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3286990474-0
                                                                                                                                                                                                        • Opcode ID: d01ecd7daa04a362d299b2eb06701258c0ec0d8ac5547e45d2a7ec04364d1d48
                                                                                                                                                                                                        • Instruction ID: d25e004cd20c10b35bf3ce1b6fa29ec672c30911e20c690d817334aa3cf6f60f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d01ecd7daa04a362d299b2eb06701258c0ec0d8ac5547e45d2a7ec04364d1d48
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D11E7B19053002BD640AAA19F48FAB77ECAB84658F448539FE58C2610F735D70D47A2
                                                                                                                                                                                                        Function 6C78E010 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,6C78C0BE,?,?,00000000,?,?,?,?,00000000,?,00000000,?), ref: 6C78E018
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6C78E02B
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000020,00000000,?,?,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 6C78E03C
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000,?,?,?,?,00000000,?,00000000,?,?), ref: 6C78E04F
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,00000000,?,?), ref: 6C78E05A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_Error_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2983971270-0
                                                                                                                                                                                                        • Opcode ID: feb20bb9a4a667c96a814313d8579eb5739eaaed14d1d97b6b5118355149a9f8
                                                                                                                                                                                                        • Instruction ID: 90f31192fc35df45ba617fdabf73a21a45a237299204c9dd4218251b223fd932
                                                                                                                                                                                                        • Opcode Fuzzy Hash: feb20bb9a4a667c96a814313d8579eb5739eaaed14d1d97b6b5118355149a9f8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F119EB69003011BD7619EA4AD48AAB73E4DFC025DF140A3DE955D2B10E726D30D53F2
                                                                                                                                                                                                        Function 6C783490 Relevance: 12.1, APIs: 8, Instructions: 69COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C781BB0: PORT_ZAlloc_Util.NSSUTIL3(00000008,?,?,?,00000000,?,6C7834A6,?,?,?,?,?,00000000,6C783058,?,?), ref: 6C781BB7
                                                                                                                                                                                                          • Part of subcall function 6C781BB0: PORT_ZAlloc_Util.NSSUTIL3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C781C00
                                                                                                                                                                                                          • Part of subcall function 6C781BB0: PORT_Free_Util.NSSUTIL3(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C781C11
                                                                                                                                                                                                          • Part of subcall function 6C781BB0: PORT_Free_Util.NSSUTIL3(00000000,00000000,?,00000001), ref: 6C781C17
                                                                                                                                                                                                        • PR_Lock.NSPR4(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7834BA
                                                                                                                                                                                                        • PR_Unlock.NSPR4(00000000), ref: 6C7834DB
                                                                                                                                                                                                        • PR_Lock.NSPR4(00000000), ref: 6C7834EF
                                                                                                                                                                                                        • PR_Unlock.NSPR4(00000000), ref: 6C783500
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C78350F
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,00000000), ref: 6C783515
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C783526
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,00000000), ref: 6C78352C
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Alloc_LockUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1806254683-0
                                                                                                                                                                                                        • Opcode ID: a57a99719c28a5d349033fb0f33e5a00ebb052277914f91632fa7213cbefc150
                                                                                                                                                                                                        • Instruction ID: b1538feb52d5764c63ab8189b98ad8656f7018ab0f1f39936ba79e947bf8ec9b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a57a99719c28a5d349033fb0f33e5a00ebb052277914f91632fa7213cbefc150
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 421108326412106BCB011FB9DD48BBF73B8EF81226F044275FE24A7651C735AA158BE1
                                                                                                                                                                                                        Function 6C78D630 Relevance: 12.1, APIs: 8, Instructions: 65COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,6C790E07,00000000,?,00000000,00000000), ref: 6C78D65B
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,6C790E07,00000000,?,00000000,00000000), ref: 6C78D672
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,6C790E07,00000000,?,00000000,00000000), ref: 6C78D680
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C78D694
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 6C78D6A2
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C78D6BB
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 6C78D6D7
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000001,00000000,?,6C790E07,00000000,?,00000000,00000000), ref: 6C78D6F1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Unlock$Arena_FreeLockmemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1480885319-0
                                                                                                                                                                                                        • Opcode ID: 91a43d15987e04490b1ced38cc54b302b7722ad297f9b1fb5c80a5e59bb93fd7
                                                                                                                                                                                                        • Instruction ID: 050bd52ae802fa42f67ca4fba2a3c511f3b5f99a8b80dba7b7a44e5ba6820929
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91a43d15987e04490b1ced38cc54b302b7722ad297f9b1fb5c80a5e59bb93fd7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE11D6B07016068FEF248F29F904A5A37F4BF25248B14453EE56EC2B04E732E555CB85
                                                                                                                                                                                                        Function 6C7EEC92 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 436COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: -$NaN
                                                                                                                                                                                                        • API String ID: 0-1202041466
                                                                                                                                                                                                        • Opcode ID: 9403049e9b2e983ae1240c4f0eaca62acab292a9997c9477cf7c4039f1f76480
                                                                                                                                                                                                        • Instruction ID: d5cd22f805c7beb78a394b30a4ba1454fdf7dea565cfaca3c7bbd9e83f758113
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9403049e9b2e983ae1240c4f0eaca62acab292a9997c9477cf7c4039f1f76480
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26F10672A0D3868BD301DE18D68031ABFF0AF8A748F284D6DE4C597A55E731C958CBD2
                                                                                                                                                                                                        Function 6C7F5743 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 399COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_exec
                                                                                                                                                                                                        • String ID: SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid$out of memory$sqlite_master$sqlite_temp_master$statement aborts at %d: [%s] %s
                                                                                                                                                                                                        • API String ID: 2141490097-3835016454
                                                                                                                                                                                                        • Opcode ID: e301fa1e4638f6bc023b343c2019aaa28ce5f81f2bf5928b30f786df46a09ddf
                                                                                                                                                                                                        • Instruction ID: 03b4db458fd7d68af8bd414b7188288bce5c677008343fbb442dc320a97d0b3a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e301fa1e4638f6bc023b343c2019aaa28ce5f81f2bf5928b30f786df46a09ddf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF0248746083829FD720CF18C684B5ABBF1FF89308F14496DE9998B712D731E956CB92
                                                                                                                                                                                                        Function 6C744F20 Relevance: 10.8, APIs: 7, Instructions: 327memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6C7451CC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C7452EB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C745303
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C745355
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$AllocItem_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4233208270-0
                                                                                                                                                                                                        • Opcode ID: 4a010b50c38ee3568b92ddb8cfc78cf00e8f70cb184a51544077760ead6b35e9
                                                                                                                                                                                                        • Instruction ID: 3d3355c903655195748f7bcb8778216d154fe127fc3fef9ded6b4b986cac4379
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a010b50c38ee3568b92ddb8cfc78cf00e8f70cb184a51544077760ead6b35e9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CCB1E5716053089BE7408FA0EB88B9B77DCAB4031CF58C93AEA28C6650EB75D54CC792
                                                                                                                                                                                                        Function 6C736AD0 Relevance: 10.8, APIs: 7, Instructions: 292memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000000,?), ref: 6C736D4B
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,00000080,?,00000000,00000000,00000000,?), ref: 6C736D74
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C736D81
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000000), ref: 6C736DB1
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,00000000), ref: 6C736E18
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C736E4D
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C736E75
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$memset$Error_$AllocAlloc_Free_Item_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2878504915-0
                                                                                                                                                                                                        • Opcode ID: 117877fbc5f5c296dc8d57a1937962cff106c60e1e4c94a300a794f8f2415f33
                                                                                                                                                                                                        • Instruction ID: 0bde6b41f08e814f28b5d8f359a548f2377b496c05a8e8d0f17994b8e3f54d8b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 117877fbc5f5c296dc8d57a1937962cff106c60e1e4c94a300a794f8f2415f33
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D891D471A04315ABD711CBF5CA89BCBB7DCBB48208F04493AF658C7652EB75D60C8B92
                                                                                                                                                                                                        Function 6C72EE00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 275COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,00000000,?,?,?,?), ref: 6C72EE41
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,00000000,?,?,?,?), ref: 6C72EE67
                                                                                                                                                                                                        • getenv.MSVCR120 ref: 6C72EE8C
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000001,?), ref: 6C72EF99
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C72F0D3
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$getenvmemcpy
                                                                                                                                                                                                        • String ID: NSS_DISABLE_HW_AES
                                                                                                                                                                                                        • API String ID: 847386057-989025892
                                                                                                                                                                                                        • Opcode ID: 573d9304c58b5045db2b51acae8b9829e2eb434a29690410506e09ab465024e1
                                                                                                                                                                                                        • Instruction ID: 9397b9cea40b0e779773e38913d11a1badf06ae5ccb91e6fcd12ee4c22c33ae7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 573d9304c58b5045db2b51acae8b9829e2eb434a29690410506e09ab465024e1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7914C316093284BE7609A2DC74175BB3A4EB42369F940B3EE864C7F81D73ED4588793
                                                                                                                                                                                                        Function 6C78DB80 Relevance: 10.7, APIs: 7, Instructions: 224memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(?,?,?), ref: 6C78DC53
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,6C78F758,?,00000000,?,?,?,6C790CD6,?,00000000,?,?), ref: 6C78DC69
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004,?), ref: 6C78DC81
                                                                                                                                                                                                        • memcpy.MSVCR120(00000009,?,?,00000000,?,6C78F758,?,00000000,?,?,?,6C790CD6,?,00000000,?,?), ref: 6C78DCBC
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,?,?,00000000,?,6C78F758,?,00000000,?,?,?,6C790CD6,?), ref: 6C78DD28
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,?,?,?,?,?,00000000,?,6C78F758,?,00000000,?,?), ref: 6C78DD4D
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000002,?,?,?,00000000,?,6C78F758,?,00000000,?,?,?,6C790CD6,?), ref: 6C78DDAF
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpy$Util$Error_$Alloc_Arena
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2541968341-0
                                                                                                                                                                                                        • Opcode ID: 712c2ed148da96b6ae3d6fd12f18aeb9d51980e4301cc8ca9afebb2da262b99b
                                                                                                                                                                                                        • Instruction ID: c9dc324b41a9b9f304f1d5a33c5b800b6e86f25556990fe99b57a36f5791ae43
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 712c2ed148da96b6ae3d6fd12f18aeb9d51980e4301cc8ca9afebb2da262b99b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC7108325052478FCB00CF18C980599BBA1FFA5318F19867EEDA897701D332E91ACBA1
                                                                                                                                                                                                        Function 6C787150 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 211COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C78727A
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C7872F5
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C787367
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free_Util
                                                                                                                                                                                                        • String ID: @$@$@
                                                                                                                                                                                                        • API String ID: 3239092222-1177533131
                                                                                                                                                                                                        • Opcode ID: caf58c0c47b4bf935019e66e2f2731c3065934f6ff0b1335b54c442aad272f65
                                                                                                                                                                                                        • Instruction ID: 6dd6944e5d33ac194280bb5d8346b79b159bda33edbcf1a0bf088f720a3d267b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: caf58c0c47b4bf935019e66e2f2731c3065934f6ff0b1335b54c442aad272f65
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E51F7B1A053005BD3409B659A48B9BB7F8AF8435CF44493DFB5A82741EB75DA0887E3
                                                                                                                                                                                                        Function 6C740EE0 Relevance: 10.7, APIs: 7, Instructions: 181memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C740F8B
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?), ref: 6C740FAB
                                                                                                                                                                                                        • memcpy.MSVCR120(00000001,?,?), ref: 6C740FDD
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C740FE9
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C740FFC
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,?), ref: 6C741085
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004,?), ref: 6C74109A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_memcpy$Alloc_Free_memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 791058092-0
                                                                                                                                                                                                        • Opcode ID: 841cf09135ad38b2d8b3e525bcd99aa52a4e995bac779a8fe29e2b27c1baade7
                                                                                                                                                                                                        • Instruction ID: 0d40eec2a545e3ad2a67c3b0cfeb4eb22586bf446ff89cde3d5cfa0843f6a335
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 841cf09135ad38b2d8b3e525bcd99aa52a4e995bac779a8fe29e2b27c1baade7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51512071608341AFD704DF28DD45AABBBE9EFC4219F10493EF49586610DB62D928CB52
                                                                                                                                                                                                        Function 6C737FA0 Relevance: 10.7, APIs: 7, Instructions: 179memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,?,?,?,?), ref: 6C738004
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7380E9
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?), ref: 6C738137
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?), ref: 6C738146
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?), ref: 6C738155
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?), ref: 6C738164
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?), ref: 6C738177
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$memset$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2439995405-0
                                                                                                                                                                                                        • Opcode ID: 21bc0631ede69aa829e5c442cd47efd9329650a7d99963efa608924b1212701b
                                                                                                                                                                                                        • Instruction ID: 940b3ea9f53fb0c1ff65344b5a72e3574565418ca5186e93db632ff20688c171
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21bc0631ede69aa829e5c442cd47efd9329650a7d99963efa608924b1212701b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8651E372C0633117C7119AA48E88ACB76DC9B84664F054A3BFE59D7701FB39D90E82E3
                                                                                                                                                                                                        Function 6C7370C0 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000000), ref: 6C737130
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00E), ref: 6C737201
                                                                                                                                                                                                          • Part of subcall function 6C74A0A0: memset.MSVCR120 ref: 6C74A0B5
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,?), ref: 6C73723B
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,00000000,?,?), ref: 6C73724C
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73726B
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(?,?), ref: 6C73727C
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C737293
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$memset$AllocAlloc_Free_Item_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 910830761-0
                                                                                                                                                                                                        • Opcode ID: acbed59f2f6e662cace9ab75e1790177c8e9b7bfdf1936fbe996bf43aded9784
                                                                                                                                                                                                        • Instruction ID: 55ff9fb01f5f60c9c449a5a4fb91b4820a06bd0c852c5dc6290b24d5bb39a684
                                                                                                                                                                                                        • Opcode Fuzzy Hash: acbed59f2f6e662cace9ab75e1790177c8e9b7bfdf1936fbe996bf43aded9784
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A45106B1805325ABC700DE65CF48B9BB6E8AB84618F10463AFD6CD2752EB31D518C7E3
                                                                                                                                                                                                        Function 6C73E600 Relevance: 10.6, APIs: 7, Instructions: 144memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,?,00000000,?,?,?,?,?,?,?,?,6C73EA3E,?,?,?,?), ref: 6C73E665
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?,?,?,?,?,?,?,6C73EA3E,?,?,?,?,?), ref: 6C73E678
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,6C73EA3E,?,?), ref: 6C73E6F8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,6C73EA3E,?,?,?,?,?), ref: 6C73E731
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,6C73EA3E,?,?,?,?,?), ref: 6C73E747
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,6C73EA3E,?,?,?,?,?), ref: 6C73E75D
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,6C73EA3E,?,?,?,?,?), ref: 6C73E773
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Free_memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 58054029-0
                                                                                                                                                                                                        • Opcode ID: 29273a41586b8e0bb8431cd96ca4446ad565d621da0eae720db5cd46272fb1d0
                                                                                                                                                                                                        • Instruction ID: 63aeba0b8288964d114c84851151bfef60bc5387e06b9eee8c6555cce881d144
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29273a41586b8e0bb8431cd96ca4446ad565d621da0eae720db5cd46272fb1d0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4415672C0523927C6106AA89E4DADF769C9B84238F440735FE2CD2791E725DE1D93E3
                                                                                                                                                                                                        Function 6C790480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_Free_LockUnlock
                                                                                                                                                                                                        • String ID: cert
                                                                                                                                                                                                        • API String ID: 3435265499-212476011
                                                                                                                                                                                                        • Opcode ID: 843197db42252562b30d0decdf59f2a0295064e8d20cf741fb47f8c801899686
                                                                                                                                                                                                        • Instruction ID: 5ffb70da3a76f08c90cb9debaec745824eac4a405c57031a6c571325426f29c2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 843197db42252562b30d0decdf59f2a0295064e8d20cf741fb47f8c801899686
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75416BB25142416BDB000A69BE49F4F3AAC9FD932CF240634F96D92A52E731D218C293
                                                                                                                                                                                                        Function 6C78FED0 Relevance: 10.6, APIs: 7, Instructions: 132memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C78FF3B
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,00000000,6C787C40,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C78FF66
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,00000000,?,?,00000000,6C787C40,00000000,?), ref: 6C78FF75
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,00000000,6C787C40,00000000,?), ref: 6C78FFBA
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,00000000,6C787C40,00000000,?), ref: 6C78FFE0
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,6C787C40), ref: 6C78FFF1
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?), ref: 6C790011
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpy$Util$Free_$Alloc_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3997346407-0
                                                                                                                                                                                                        • Opcode ID: 7d9b64d61be20f86e60d39374e96e8591e5180ab5914811c65b303c6cbbd2bb0
                                                                                                                                                                                                        • Instruction ID: 0e98b3951216cc568df69bb72f0cc7cab86101361a54a436849625b51571b8f3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d9b64d61be20f86e60d39374e96e8591e5180ab5914811c65b303c6cbbd2bb0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E841F6B16052166BCB009FA5EE84A9AF7E4FF44218F040639FE59C3B01D735E658C7D1
                                                                                                                                                                                                        Function 6C7414A0 Relevance: 10.6, APIs: 7, Instructions: 131memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C7414A9
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,?), ref: 6C741563
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Alloc_Utilmemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1090783976-0
                                                                                                                                                                                                        • Opcode ID: 695d16b577642b5a8cf6028a98a0bb918a27c1d732441580889b84c489d4ce7e
                                                                                                                                                                                                        • Instruction ID: 139bbcf2766f9a98eac7c80c0a3643c2b31ed61cd595238f27f60a045abdd811
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 695d16b577642b5a8cf6028a98a0bb918a27c1d732441580889b84c489d4ce7e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D316F329083055FDB10BA6CEE48BDAFBD4DF8024DF444676E849C7B01E725E52C87A2
                                                                                                                                                                                                        Function 6C73E790 Relevance: 10.6, APIs: 7, Instructions: 110memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,00000000,00000000,00000000,?,00000000), ref: 6C73E7A1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,00000000), ref: 6C73E7B4
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,?,?,00000000,00000000,?,00000000), ref: 6C73E820
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,00000000,00000000,?,00000000), ref: 6C73E841
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3186423673-0
                                                                                                                                                                                                        • Opcode ID: 8eabe9bba735ef588d0c57e18db778a27be67f1e8028257f2622ca9de91fcb1f
                                                                                                                                                                                                        • Instruction ID: b160568be7b0117029a5c067c94159dbf3838285b0435205e00faf3f99ccecfc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8eabe9bba735ef588d0c57e18db778a27be67f1e8028257f2622ca9de91fcb1f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD215C63D0422412D600657EBD496DE7A48DBC013AFA51335EE3CC17E0FB1A951E51F3
                                                                                                                                                                                                        Function 6C782D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID: global-salt$password-check
                                                                                                                                                                                                        • API String ID: 4018760208-3927197501
                                                                                                                                                                                                        • Opcode ID: ff5fd756c91997b6f121ee6d8df0898b87817377233bf58686997fcbe71659d3
                                                                                                                                                                                                        • Instruction ID: 1652aeb85e6a01be6d6e108e21f5dd37f7f034372bf7080f03c2ff1269fd6741
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff5fd756c91997b6f121ee6d8df0898b87817377233bf58686997fcbe71659d3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB31E7329055119BC300CF18C94895BB7BCFF82726F944675EE51DB601D734F94A87A6
                                                                                                                                                                                                        Function 6C721020 Relevance: 10.6, APIs: 7, Instructions: 98COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 6C721038
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?), ref: 6C72106B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CounterPerformanceQuerymemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2415575650-0
                                                                                                                                                                                                        • Opcode ID: f778d61725e64ce678a856ab618586653e63fcfb4bc6b13c4f5a61b9eb3ec03b
                                                                                                                                                                                                        • Instruction ID: fff1c56cd9a64e9908494dd4b3567c43c2b660be62ed733c6a2b6994864d6c6c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f778d61725e64ce678a856ab618586653e63fcfb4bc6b13c4f5a61b9eb3ec03b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0921A9B39052146BC310AA5DD9849C7F3ECFB88218F45063AE999D3601F63AEA1846E2
                                                                                                                                                                                                        Function 6C740320 Relevance: 10.6, APIs: 7, Instructions: 77memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00A), ref: 6C740340
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C74035E
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C740371
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2938347131-0
                                                                                                                                                                                                        • Opcode ID: 0732788a26656539e4cb37c5966ab4a76850c803e35a4033704927a5892041a2
                                                                                                                                                                                                        • Instruction ID: 64b13904169dcd4872b5516caf3bd217b6af51215fa0c20d81d84ce9140f0a2a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0732788a26656539e4cb37c5966ab4a76850c803e35a4033704927a5892041a2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8811067390522067CB01266CAD4DB8E7E61DFC4236F144779F668D97A0DB61C42D93A3
                                                                                                                                                                                                        Function 6C72BDE0 Relevance: 10.6, APIs: 7, Instructions: 75memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6C72BDFC
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C72BE0D
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C72BE20
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2938347131-0
                                                                                                                                                                                                        • Opcode ID: 0922b375c41728ce7de2889c4172faa73304926e72182ca137b0431350858481
                                                                                                                                                                                                        • Instruction ID: 481cadd9572206f0b0e8309ecc439fb64392bcf1bbc9d2f227173c63483c6d8c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0922b375c41728ce7de2889c4172faa73304926e72182ca137b0431350858481
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D11787390021427D700666D9D88EDB7BACCF8427DF140636F565E2750EB26E96C46F2
                                                                                                                                                                                                        Function 6C782130 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(00CA59E8,?,00000000,?,6C789A10,?), ref: 6C782149
                                                                                                                                                                                                        • PR_Unlock.NSPR4(00CA59E8), ref: 6C782156
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(850C468B,?,6C789A10,?), ref: 6C782179
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(04C4836C,?,6C789A10,?), ref: 6C782189
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(FF500A74,00000001,?,6C789A10,?), ref: 6C78219B
                                                                                                                                                                                                        • PR_DestroyLock.NSPR4(00CA59E8,?,6C789A10,?), ref: 6C7821AB
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(6C789A10,?,6C789A10,?), ref: 6C7821B5
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Lock$DestroyFreeItem_Unlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1897647308-0
                                                                                                                                                                                                        • Opcode ID: 5b0ee5d8dce4f730eea3bafd5dcbf485c639414194ea08a9ee58be8896bf6f74
                                                                                                                                                                                                        • Instruction ID: b8778d2241a5dc00031da4b09a8396c7f7124eae79c91c34a77d9a1875c27c56
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b0ee5d8dce4f730eea3bafd5dcbf485c639414194ea08a9ee58be8896bf6f74
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 640184B1B026026BEA009FB9ED8CA5BB3BC6F415457244134FA24D3700D725E65586E2
                                                                                                                                                                                                        Function 6C74E8E0 Relevance: 10.1, APIs: 8, Instructions: 54COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1294909896-0
                                                                                                                                                                                                        • Opcode ID: 9bf483ca1c2082f325954c9dd1af8c3c71fa568ef415ab3aa60f1e4f5898005d
                                                                                                                                                                                                        • Instruction ID: dcf60aa7362045541a0490348a9d593ffc85bfe3b02cbeeff6ba79ab7fb15476
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bf483ca1c2082f325954c9dd1af8c3c71fa568ef415ab3aa60f1e4f5898005d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A501A7B0B01B0957FE10EE39AD50E4FB3DC5E4056871B4838E899D3E40EA20F504CAE3
                                                                                                                                                                                                        Function 6C744AF0 Relevance: 9.3, APIs: 6, Instructions: 322memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(?,?,00000000), ref: 6C744E11
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C744E97
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C744EAF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C744EC7
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C744EDF
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C744F01
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$memset$AllocItem_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2790809200-0
                                                                                                                                                                                                        • Opcode ID: fb3cbe8ba548b6e132c7428707579161b8f29cd5a8ac324b10a48b5a39776297
                                                                                                                                                                                                        • Instruction ID: a765df05c47be5f37eed50699b82991f5fa17e37fa93414115ec76ac9ff1efbf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb3cbe8ba548b6e132c7428707579161b8f29cd5a8ac324b10a48b5a39776297
                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABB1EF316043159BE7008EE1DA88FCBB7DCAB44218F54C539EA2887A61EB75D54CE792
                                                                                                                                                                                                        Function 6C73D970 Relevance: 9.3, APIs: 6, Instructions: 311COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6C73DA4D
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C73DCB5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73DCC7
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C73DCD9
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73DCEB
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(?,00000001), ref: 6C73DD07
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Arena_$Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 818136658-0
                                                                                                                                                                                                        • Opcode ID: 76a88a1a862eb4ec53c72721ee41efb589a939021df7a3cd566fdadbc2a48e4c
                                                                                                                                                                                                        • Instruction ID: 8d15c6335b8d8ddd8941e8f3409bbb24f1244683abe8279ac9bb87f9895b3ed8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76a88a1a862eb4ec53c72721ee41efb589a939021df7a3cd566fdadbc2a48e4c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26A114B182A3255BD710DA65CB48B9BB7ECBB94318F04063EFD58C3A41E770D90887E2
                                                                                                                                                                                                        Function 6C73ECE0 Relevance: 9.3, APIs: 6, Instructions: 300COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73ED8C
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C73EFB1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73EFCB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C73EFE5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73F019
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 35dd907cf3d30249fe3a0b17616396a650d5bfe77555cdbe5e668ffe98339509
                                                                                                                                                                                                        • Instruction ID: 57bdc487b483fe83b1772b84bd5cb5fdeaab56c10ae512c42e971f6809cd68a8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35dd907cf3d30249fe3a0b17616396a650d5bfe77555cdbe5e668ffe98339509
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D913E725053294BD3009AF58E88A9BB7DCAB40228F14073EF66CC1A92EBB5D50DC7D3
                                                                                                                                                                                                        Function 6C7D4BB0 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 291COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • foreign key on %s should reference only one column of table %T, xrefs: 6C7D4C03
                                                                                                                                                                                                        • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 6C7D4C51
                                                                                                                                                                                                        • unknown column "%s" in foreign key definition, xrefs: 6C7D4E42
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpy$memset
                                                                                                                                                                                                        • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                        • API String ID: 438689982-272990098
                                                                                                                                                                                                        • Opcode ID: e5e95e7f40673fba0c6b46fa85bc5dbabd34ebc03940f5469f320c2cc37f82d3
                                                                                                                                                                                                        • Instruction ID: be4af8519b8a9a4fc98d269a96a9fa798608786c8f5c2133557b8e99586cceb6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5e95e7f40673fba0c6b46fa85bc5dbabd34ebc03940f5469f320c2cc37f82d3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89B1D0725083459FC710CF19CA80A5ABBF4EF89308F1A496DF8989BB12D735F941DB91
                                                                                                                                                                                                        Function 6C73B360 Relevance: 9.3, APIs: 6, Instructions: 272COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000000,?,?,?,?,?,?), ref: 6C73B4BE
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?), ref: 6C73B65D
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?), ref: 6C73B66F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?), ref: 6C73B681
                                                                                                                                                                                                          • Part of subcall function 6C739E90: SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000000), ref: 6C739EEF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?), ref: 6C73B693
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,?,?,?,?,?), ref: 6C73B6BA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Item_$CopyFreeZfree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 414615639-0
                                                                                                                                                                                                        • Opcode ID: dbd72b1fb9b68e73aa735f6106d595239afb3e13f0ebd942c69171fa164e01a1
                                                                                                                                                                                                        • Instruction ID: abd6612abb7f01480084981acaa260f635e66c8e56e1dd3978dc1c6e3b1f897b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dbd72b1fb9b68e73aa735f6106d595239afb3e13f0ebd942c69171fa164e01a1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB9147719047659BD310CEA4CE44B9BB7E8AF84328F040A38F9AC97792E775E408C793
                                                                                                                                                                                                        Function 6C78F0E0 Relevance: 9.2, APIs: 6, Instructions: 237COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000), ref: 6C78F1AB
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(?,00000000,?,?,?,?,00000000,?,?,00000000), ref: 6C78F1F4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Arena_Util$Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 771158934-0
                                                                                                                                                                                                        • Opcode ID: 83cb301715c7deb35cd88aac5c3026cc380ecd72e9c59a206e77ca7fc6061073
                                                                                                                                                                                                        • Instruction ID: 720e355e8b6a973547e3fec995ecfb2e9d65843f4f69929b76f84d8818b27b7f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83cb301715c7deb35cd88aac5c3026cc380ecd72e9c59a206e77ca7fc6061073
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C8195B25093419BD710CF65D944B9FB7E8AF88304F144A3EFAA9C2641E735D6098BA2
                                                                                                                                                                                                        Function 6C73E340 Relevance: 9.2, APIs: 6, Instructions: 237COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE028), ref: 6C73E530
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C73E57F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73E598
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C73E5B1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73E5CA
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73E5E3
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: 407541d9ebfb55bf7f55dff38351682ad386474375d86edc70c0cefa7c9c77bd
                                                                                                                                                                                                        • Instruction ID: 9d3fe986502288b4e19bab046bd4eee04a4eadb972a74049ee0a3dfa745e61c1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 407541d9ebfb55bf7f55dff38351682ad386474375d86edc70c0cefa7c9c77bd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 807144729053395BC3008AB89E4869BBB989B84234F084779F97CC7791F735DD4987E2
                                                                                                                                                                                                        Function 6C739C80 Relevance: 9.2, APIs: 6, Instructions: 174memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6C739D98
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C739DBC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C739E2F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C739E44
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C739E59
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C739E6E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Item_$AllocZfreememset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1437407099-0
                                                                                                                                                                                                        • Opcode ID: aa9990778908b2f5dc4f512edb3f846a612f1a07ed2fb68b779da734b84ad2b6
                                                                                                                                                                                                        • Instruction ID: c7fca53f51cab33cda42d914e4318a97513371225f378dde006b9c729a1993f6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa9990778908b2f5dc4f512edb3f846a612f1a07ed2fb68b779da734b84ad2b6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D551097190531117E700DAF58E8ABCB76DC9F64228F444A35FA2CC6791EB79D50C83A3
                                                                                                                                                                                                        Function 6C787680 Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6C787722
                                                                                                                                                                                                        • NSS_Get_SEC_OctetStringTemplate_Util.NSSUTIL3(00000000,00000000,?), ref: 6C787741
                                                                                                                                                                                                        • SEC_QuickDERDecodeItem_Util.NSSUTIL3(00000000,?,00000000,?,?), ref: 6C787750
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?), ref: 6C78775F
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C787831
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000), ref: 6C787840
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Free$DecodeFree_Get_Item_OctetQuickStringTemplate_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1423109607-0
                                                                                                                                                                                                        • Opcode ID: 36ffe79afb14bf49ff08894b8599b6e9fb4fa593f778da49f736c1f00c7bc237
                                                                                                                                                                                                        • Instruction ID: 8df961ad26794103cc2ad0af4176698b72d8eada4a9dccb2e62e639998cd8ad9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36ffe79afb14bf49ff08894b8599b6e9fb4fa593f778da49f736c1f00c7bc237
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9151A3B160A300AFD340CF25CE88B5BB7E8EB85308F444939FA5597751E775DA09CBA2
                                                                                                                                                                                                        Function 6C7410B0 Relevance: 9.1, APIs: 6, Instructions: 146COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003,?,?,?), ref: 6C7410E2
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 6168b81c8949a1aa7679e899d7c14b9c29ee976529c1a45f0b2a8eb79c41b7b2
                                                                                                                                                                                                        • Instruction ID: fb78f44b6daf701d7d984be75f758eed8cff8fe4f166afa2d4e7a839417d33bc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6168b81c8949a1aa7679e899d7c14b9c29ee976529c1a45f0b2a8eb79c41b7b2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F841B271508306AFDB00DF58DD85AABBBE4EF88219F400579F955C7361E721EA188B62
                                                                                                                                                                                                        Function 6C78E680 Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,?,?,6C78F389,?,?), ref: 6C78E6AB
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?,?,6C78F389,?,?,?,?,?), ref: 6C78E6CB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C78E6DD
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(?,?), ref: 6C78E737
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C78E74D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_ArenaLockUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 303087441-0
                                                                                                                                                                                                        • Opcode ID: 5890d3c076a8477d4d3f1622742c7ad69a44bd2c34e9be04ce69df7b3f08a514
                                                                                                                                                                                                        • Instruction ID: 52a0895e3e25aff98838778965c6e4cac423ea3d5fae9aeac1249a7d156e9fdc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5890d3c076a8477d4d3f1622742c7ad69a44bd2c34e9be04ce69df7b3f08a514
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA312479A096125FD700CF2CC9045AABBF1AF85224F848A79E5B8C3750E335E9198BD2
                                                                                                                                                                                                        Function 6C78C1E0 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,00000000,00000000,00000000,6C78FAC0,00000000,?,?,?,?,?,?,?,?), ref: 6C78C201
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000002,00000000,00000000,00000000,00000000,6C78FAC0,00000000,?,?), ref: 6C78C239
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000,00000000,00000000,00000000,00000000,6C78FAC0,00000000,?,?,?,?,?,?,?,?), ref: 6C78C244
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,6C786A7E,?), ref: 6C78C278
                                                                                                                                                                                                        • memcpy.MSVCR120(00000098,00000000,00000002), ref: 6C78C2AB
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6C78C2C0
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_Strdup_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3105661968-0
                                                                                                                                                                                                        • Opcode ID: 81c4d9f072920b2b46dbff9936ba8290514c4a5664c6b02881f03366a816bbe2
                                                                                                                                                                                                        • Instruction ID: 79a304150e359b8db64a26e12f063147d2e5ec7f96197e0ba6da36034a030993
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81c4d9f072920b2b46dbff9936ba8290514c4a5664c6b02881f03366a816bbe2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64217BB26026055BEB489FB0AA447EAB358FF41219F14833DDA5EC3F41E721B51D87E1
                                                                                                                                                                                                        Function 6C740850 Relevance: 9.1, APIs: 6, Instructions: 96memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C740870
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C7408A7
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C7408BA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2938347131-0
                                                                                                                                                                                                        • Opcode ID: 0eb8a9774e216fa13845a07d4f050a1c8c5d5b7549291a94029caca15fce124f
                                                                                                                                                                                                        • Instruction ID: 6517edcb938865d4bb292395b848ed32a3d07f4ce6859b4e88ff3c0b338ab249
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0eb8a9774e216fa13845a07d4f050a1c8c5d5b7549291a94029caca15fce124f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D21F8725083106FD7015AAAAE48A8FBBA8DF98338F04473DF66C85B50DB71C4698793
                                                                                                                                                                                                        Function 6C740680 Relevance: 9.1, APIs: 6, Instructions: 89memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6C7406B5
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C7406D6
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C7406E9
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE006), ref: 6C74075E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2938347131-0
                                                                                                                                                                                                        • Opcode ID: f99b9ea0dab1f14307e803ec664fd6db7e974fcccadbdd38ff3f57151f794eb0
                                                                                                                                                                                                        • Instruction ID: 0eba33d7a6e86154ab51d70e96b15557f1047cc5593a14bc1763bd4d763fd2d6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f99b9ea0dab1f14307e803ec664fd6db7e974fcccadbdd38ff3f57151f794eb0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4921287290C3106BCA01192ABD48A8B7FA5DFD523DF154739F628417A0EB62D89DC693
                                                                                                                                                                                                        Function 6C78C770 Relevance: 9.1, APIs: 6, Instructions: 84memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,?,?,6C78F1CE,?,?,00000000), ref: 6C78C782
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,00000000,?,?,6C78F1CE,?,?,00000000), ref: 6C78C7D8
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?,?,00000000), ref: 6C78C7F4
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,?,?,?,?,?,?,00000000), ref: 6C78C80B
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000), ref: 6C78C821
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_ArenaError_$memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 246302950-0
                                                                                                                                                                                                        • Opcode ID: 0f111fd782ade41150aa202429a578748d0120d571ee84b11194e52e41a1e18e
                                                                                                                                                                                                        • Instruction ID: 191a6a07caadc1f42fa1acba7939b5cf5d58e498984f3d058fc15dc0fe8a8677
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f111fd782ade41150aa202429a578748d0120d571ee84b11194e52e41a1e18e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 192168B19006011FEB209F7AD988866BBF0EF80229704473DE56AC2F60D325EA2DD790
                                                                                                                                                                                                        Function 6C78CE90 Relevance: 9.1, APIs: 6, Instructions: 79memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(00000000,?,6C7902D9,?,00000000,?,00000000,?), ref: 6C78CE98
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,00000000,?), ref: 6C78CEBE
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000220), ref: 6C78CED0
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,00000000,00000000,?), ref: 6C78CF0E
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?), ref: 6C78CF23
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?), ref: 6C78CF33
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_$Free_LockUnlockmemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1415783927-0
                                                                                                                                                                                                        • Opcode ID: 27e6a67877add83e36e65e2d5f5e5f2ce0e479d5d9a3cfeea51d8129020f8de4
                                                                                                                                                                                                        • Instruction ID: 9d59e1f6efa9a535816d33ce4162f007d6fd8dc216d2f028053ccaca001db5ec
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 27e6a67877add83e36e65e2d5f5e5f2ce0e479d5d9a3cfeea51d8129020f8de4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8521F1B2A013008FE711DF18E94499BB3F4FB84365B14073AEC5993B01E731E915CB91
                                                                                                                                                                                                        Function 6C722CF0 Relevance: 9.1, APIs: 6, Instructions: 73memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000041), ref: 6C722CF3
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE890), ref: 6C722D06
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE890,FFFFE890), ref: 6C722D10
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C722D23
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C722D5D
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,00000041,00000000,00000000,?,?,?,00000000,?,?), ref: 6C722DA3
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_memset$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3708512705-0
                                                                                                                                                                                                        • Opcode ID: 24fa6bae2f24b06bcfe9556ff1a2a07f2e658920ca6fb49fbda007752ffdf679
                                                                                                                                                                                                        • Instruction ID: f49908bf5c5acddacd34e034d132b96febc27432a3fe57ca8b4687828c8f098e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 24fa6bae2f24b06bcfe9556ff1a2a07f2e658920ca6fb49fbda007752ffdf679
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB21CFB19047205FC320DF39C94DAA7BBE4AF49318B044A19F989C7B41D735E44A8BA5
                                                                                                                                                                                                        Function 6C7922C0 Relevance: 9.1, APIs: 6, Instructions: 72memorystringCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_GetDirectorySeparator.NSPR4(?,00000000,?,?,6C79239B,00000000,?), ref: 6C7922C7
                                                                                                                                                                                                        • strrchr.MSVCR120 ref: 6C7922D6
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000002,?,?,6C79239B,00000000,?), ref: 6C792300
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,00000001,?,?,?,6C79239B,00000000,?), ref: 6C792311
                                                                                                                                                                                                        • PR_LoadLibraryWithFlags.NSPR4(?,?,?,?,?,?,?,?,?,6C79239B,00000000,?), ref: 6C792344
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,6C79239B,00000000,?), ref: 6C79234D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_DirectoryFlagsFree_LibraryLoadSeparatorWithmemcpystrrchr
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4262131509-0
                                                                                                                                                                                                        • Opcode ID: 05167aa16cca1d745f494e62a7d89fb5afc5fda2a178f8a2428df36204e2af6d
                                                                                                                                                                                                        • Instruction ID: c4ef47c6512c35a21010a63603d93ec201b6e14b86a1e3004430e02cdd33ab1e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05167aa16cca1d745f494e62a7d89fb5afc5fda2a178f8a2428df36204e2af6d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D113B366043001BCB00AE79BD486BA7BA8EB82218F48027DDC49C7702D627E60F87A1
                                                                                                                                                                                                        Function 6C782290 Relevance: 9.1, APIs: 6, Instructions: 64COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C7822A1
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C7822CB
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,00000000), ref: 6C7822E1
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C7822F4
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C782305
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C782317
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_LockUnlockUtil
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2257831774-0
                                                                                                                                                                                                        • Opcode ID: 562441ed1c03b3d17559cbeb9c33d042a394cd6364858619c1bb830fbf22e799
                                                                                                                                                                                                        • Instruction ID: e28cf9c67cf545cc7e34619dbbee977dc38268f518a693f8236ad399418c84f1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 562441ed1c03b3d17559cbeb9c33d042a394cd6364858619c1bb830fbf22e799
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8111E732A052105BCB00DF69AC44A9AB3B8EFD5622F540679FD18D7340D339E90E9BF2
                                                                                                                                                                                                        Function 6C78FDB0 Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,00000000,6C788C5D,00000000,?,00000000,?,00000008,20000000,00000000,?,?,?,?,?,?), ref: 6C78FDD4
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C78FDE4
                                                                                                                                                                                                        • PR_Lock.NSPR4(00000008,00000000,00000220,00000000,6C788C5D,00000000,?,00000000,?,00000008,20000000,00000000,?,?,?,?), ref: 6C78FDEF
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000008), ref: 6C78FE03
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 6C78FE11
                                                                                                                                                                                                          • Part of subcall function 6C78D630: PORT_Free_Util.NSSUTIL3(?,?,6C790E07,00000000,?,00000000,00000000), ref: 6C78D65B
                                                                                                                                                                                                          • Part of subcall function 6C78D630: PORT_Free_Util.NSSUTIL3(?,?,6C790E07,00000000,?,00000000,00000000), ref: 6C78D672
                                                                                                                                                                                                          • Part of subcall function 6C78D630: PR_Lock.NSPR4(?,6C790E07,00000000,?,00000000,00000000), ref: 6C78D680
                                                                                                                                                                                                          • Part of subcall function 6C78D630: PORT_Free_Util.NSSUTIL3(?), ref: 6C78D694
                                                                                                                                                                                                          • Part of subcall function 6C78D630: PR_Unlock.NSPR4 ref: 6C78D6A2
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 6C78FE35
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free_Util$Unlock$Lock$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 213400251-0
                                                                                                                                                                                                        • Opcode ID: 1e258124ab563ff1a81e1b3a30e7f9324e255987203a5f96e0bd4b7cc4a63c8d
                                                                                                                                                                                                        • Instruction ID: 11c6656b1d0e860ab052709b19ded949a1744503d321f84f039f0f876ffcb864
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e258124ab563ff1a81e1b3a30e7f9324e255987203a5f96e0bd4b7cc4a63c8d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D01F7707012019FEF109F2CFC09B9A37B4BF22218F000139E56AD2705E726E62ACB96
                                                                                                                                                                                                        Function 6C8015F0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 291COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: hidden$hidden$vtable constructor did not declare schema: %s$vtable constructor failed: %s
                                                                                                                                                                                                        • API String ID: 0-2481402886
                                                                                                                                                                                                        • Opcode ID: 86198b8fb5cb9d990949ad922789e3396628dfe4c904a94bc3047c3d759d32e8
                                                                                                                                                                                                        • Instruction ID: ba69a412e969129e524b45b2e1b28cf7978dfb94e0961c86cfd69376abd2d46d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86198b8fb5cb9d990949ad922789e3396628dfe4c904a94bc3047c3d759d32e8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50A10275A05314ABC310CF59DD80A9AB7E5FF8931DF48492DF89497701E336E90ACBA2
                                                                                                                                                                                                        Function 6C8024A0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 289COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memsetsqlite3_free
                                                                                                                                                                                                        • String ID: $ $Recovered %d frames from WAL file %s
                                                                                                                                                                                                        • API String ID: 1394162170-1630138656
                                                                                                                                                                                                        • Opcode ID: ef3d34c4c1f970b81024f9649d6eabbb13194bdc3eb4ed26f76c02eb24d8b2b6
                                                                                                                                                                                                        • Instruction ID: 3009f2d90517389eb2aa037a20b2fe8d35988ade23276ec088728ed2d6481427
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef3d34c4c1f970b81024f9649d6eabbb13194bdc3eb4ed26f76c02eb24d8b2b6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BB18BB06087459FD320CF69CE88A5BBBE4AF89308F040D6DF595C7A51E7B9E9048B52
                                                                                                                                                                                                        Function 6C7EEEFB Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: __aulldiv__aulldvrm__aullrem
                                                                                                                                                                                                        • String ID: NaN
                                                                                                                                                                                                        • API String ID: 1415644573-1757892521
                                                                                                                                                                                                        • Opcode ID: a5db448093580df1444a3bdc3b85542d003217ae5ab019ab1a2a4b73e778d7e0
                                                                                                                                                                                                        • Instruction ID: 52ebaf9588d91d2763a70e5409a18f674cbb3e7b50452cc9b846644a1d11d7e0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5db448093580df1444a3bdc3b85542d003217ae5ab019ab1a2a4b73e778d7e0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0171DF726083869FD301CF28DA8475ABFE1AF8A30CF18096DF4C497B56D361C959CB92
                                                                                                                                                                                                        Function 6C7B7DD0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 204COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,00000000,CREATE TABLE ), ref: 6C7B7EF8
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,?), ref: 6C7B7F5F
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?), ref: 6C7B7FCC
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,6C80CAC0,?), ref: 6C7B8006
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_snprintf$memcpy
                                                                                                                                                                                                        • String ID: CREATE TABLE
                                                                                                                                                                                                        • API String ID: 3845099228-2216363946
                                                                                                                                                                                                        • Opcode ID: 8783ad70558181f24938bc3a59c73ab2aca75ef57bf64c3df33d202daf6fc1de
                                                                                                                                                                                                        • Instruction ID: 29496f125326f592e6e3e51daf4d9df301f0b8bc21abb4655e38f6430de09fd6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8783ad70558181f24938bc3a59c73ab2aca75ef57bf64c3df33d202daf6fc1de
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F26106716082425FD711CF28CE85B5BBBE8EF85308F59096DF894A7611E334D90AC7E2
                                                                                                                                                                                                        Function 6C7AB860 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 200COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_reset.SQLITE3(?,?,?), ref: 6C7ABA0E
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • misuse at line %d of [%.10s], xrefs: 6C7AB8A0
                                                                                                                                                                                                        • cd0b37c52658bfdf992b1e3dc467bae1835a94ae, xrefs: 6C7AB896
                                                                                                                                                                                                        • API called with finalized prepared statement, xrefs: 6C7AB887
                                                                                                                                                                                                        • API called with NULL prepared statement, xrefs: 6C7AB876
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_reset
                                                                                                                                                                                                        • String ID: API called with NULL prepared statement$API called with finalized prepared statement$cd0b37c52658bfdf992b1e3dc467bae1835a94ae$misuse at line %d of [%.10s]
                                                                                                                                                                                                        • API String ID: 120701357-2286270372
                                                                                                                                                                                                        • Opcode ID: 9ae41cd5a2a2d2ac4e7130371ac1a6b4312aea57c0248c14b0b89dc7274a1310
                                                                                                                                                                                                        • Instruction ID: 958a2dc79532a04a46f840c05170fd965fb3ed328057556d03713984e29d5b9c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ae41cd5a2a2d2ac4e7130371ac1a6b4312aea57c0248c14b0b89dc7274a1310
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03613371A003099FE750CFA9CAC5B5677A4BF41328F440678EC199BB42D734F84ACB91
                                                                                                                                                                                                        Function 6C72D850 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 171memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(000000B0), ref: 6C72D888
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C72D8A2
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C72D9F9
                                                                                                                                                                                                          • Part of subcall function 6C72DD30: PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?,?,00000000,?,6C72D8D5,00000000,?,?), ref: 6C72DDBC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C72DA1B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Free_memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 58054029-3916222277
                                                                                                                                                                                                        • Opcode ID: 6e5a4a83e66362e38bcf533558a04f1d21a2b28be68c8d881d439279eb66d6a5
                                                                                                                                                                                                        • Instruction ID: f0ae14c4dc6d23035d13bdcf49bfb88555f993c64b9ad04b9bcdfb99c8053959
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e5a4a83e66362e38bcf533558a04f1d21a2b28be68c8d881d439279eb66d6a5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E5191B2504300AFD300DB65DD49F9BBBF8EF99608F44092DF989C6601E735E518CBA6
                                                                                                                                                                                                        Function 6C791F80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(?,?,00000000,?,0000000A,6C791329,?,?,?,00000001,?), ref: 6C791F94
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C792057
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C792094
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C7920AA
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Strdup_
                                                                                                                                                                                                        • String ID: .db
                                                                                                                                                                                                        • API String ID: 398476677-1874795567
                                                                                                                                                                                                        • Opcode ID: ec1d281df5da81d6cdebde612ff39b43e2c5bd07aeef0f8d29615042fa574879
                                                                                                                                                                                                        • Instruction ID: 65333145552af1b6cdc33f93dbb44338d03d3a7c1e829833b5b3aded400d10ee
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec1d281df5da81d6cdebde612ff39b43e2c5bd07aeef0f8d29615042fa574879
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E419DB37062043BD3115668BE4AFAB739D8B81758F080274FD46D7742E326DA0DC2E1
                                                                                                                                                                                                        Function 6C7FDDB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_mprintf.SQLITE3(6C80CAC0,?), ref: 6C7FDE38
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?), ref: 6C7FDE83
                                                                                                                                                                                                        • sqlite3_mprintf.SQLITE3(sqlite3_get_table() called with two or more incompatible queries,?), ref: 6C7FDE8D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • sqlite3_get_table() called with two or more incompatible queries, xrefs: 6C7FDE88
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_mprintf$sqlite3_free
                                                                                                                                                                                                        • String ID: sqlite3_get_table() called with two or more incompatible queries
                                                                                                                                                                                                        • API String ID: 3165271256-4279182443
                                                                                                                                                                                                        • Opcode ID: bf35754c3d7fcc96b0461785533f188d99d988f5f7a65e60de78e8544b515dac
                                                                                                                                                                                                        • Instruction ID: 76e79f029ae5e78689b9365029ba6d108d2a2b832a50732ee6764ba888aede2d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf35754c3d7fcc96b0461785533f188d99d988f5f7a65e60de78e8544b515dac
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9641BB726043058BE3209F69DAC4B57B7F5ABA1319F14093EE4B187B11EB72E40B8B55
                                                                                                                                                                                                        Function 6C7BEA20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,00000000), ref: 6C7BEB1D
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,OsError 0x%x (%u),?,?), ref: 6C7BEB52
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(?,?,6C80CAC0,00000000), ref: 6C7BEB67
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000,?,?,6C80CAC0,00000000), ref: 6C7BEB6D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_freesqlite3_snprintf
                                                                                                                                                                                                        • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                        • API String ID: 349614681-2664311388
                                                                                                                                                                                                        • Opcode ID: 6c84214d873a05bc9861a22d93e434e35ed0d1ee81b0fe479c5da9e3e69039a7
                                                                                                                                                                                                        • Instruction ID: 5871945a3eb77f97d953cf6ac1f22adcff08333766e4b77b517d8a752e15a22c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c84214d873a05bc9861a22d93e434e35ed0d1ee81b0fe479c5da9e3e69039a7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63318070704306ABE720DF658D4AF5B7BF8EB86748F000878F955A2B80D775D909C6E2
                                                                                                                                                                                                        Function 6C782BD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: key
                                                                                                                                                                                                        • API String ID: 0-2324736937
                                                                                                                                                                                                        • Opcode ID: 86d414d947fc0f5ac13bdbc84cd105568bf9adfc9ceec8b69e815079bf45060b
                                                                                                                                                                                                        • Instruction ID: a052404d5a46ec0fa4dcfc0ab6e9526db3be0d8f1b13b1c1d9c4c7c28136de32
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86d414d947fc0f5ac13bdbc84cd105568bf9adfc9ceec8b69e815079bf45060b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A92146B62032006BDB006E69AECCB673778AF4532BF140575FE11DA682EB31E415C7A2
                                                                                                                                                                                                        Function 6C792900 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _errno$_lseek_write
                                                                                                                                                                                                        • String ID: %$sniglet^&
                                                                                                                                                                                                        • API String ID: 1658918018-681435720
                                                                                                                                                                                                        • Opcode ID: 387e6e46c34517f0194b5f4340deec294a4b4f55bf93fa79660c363a11a5c622
                                                                                                                                                                                                        • Instruction ID: 01dcd968252e9978298c4121567a72cb3fb7889cc4295c4859e07dda30c25d58
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 387e6e46c34517f0194b5f4340deec294a4b4f55bf93fa79660c363a11a5c622
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 603105726042009FEB20AF28EDC9BEA77A4FF45324F540676ED69DB2C0D7749944C7A1
                                                                                                                                                                                                        Function 6C7E09C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_mprintf.SQLITE3(unable to use function %s in the requested context,?), ref: 6C7E09D1
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000), ref: 6C7E0A2D
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000001), ref: 6C7E0A78
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(00000000), ref: 6C7E0A8C
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • unable to use function %s in the requested context, xrefs: 6C7E09CC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free$memcpysqlite3_mprintf
                                                                                                                                                                                                        • String ID: unable to use function %s in the requested context
                                                                                                                                                                                                        • API String ID: 475629086-47290733
                                                                                                                                                                                                        • Opcode ID: 4aaf99935d649658427d6d1888c49b0e8a981cee1b9db3be6b582b06a8c40093
                                                                                                                                                                                                        • Instruction ID: 47da29bf4f765115138d30facc8b1412878a4149a8c37f6390a7906a9acbb300
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4aaf99935d649658427d6d1888c49b0e8a981cee1b9db3be6b582b06a8c40093
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C2138B660069A6BD3008F59DA84B42B7B8FF5934CF04413AE8148BB01E772E496DBE1
                                                                                                                                                                                                        Function 6C789C10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_smprintf.NSPR4(%s/%s,00000000,?,?,00000000,?,00000000,?,6C7898E7,?,?,?,?), ref: 6C789C3D
                                                                                                                                                                                                          • Part of subcall function 6C7828E0: PORT_ZAlloc_Util.NSSUTIL3(00000024,?,?,?,00000000,6C789C69,?,?,?,6C789EA0,00000000,?), ref: 6C7828E6
                                                                                                                                                                                                          • Part of subcall function 6C7828E0: PORT_SetError_Util.NSSUTIL3(FFFFE013,?), ref: 6C7828F9
                                                                                                                                                                                                          • Part of subcall function 6C7828E0: PORT_Strdup_Util.NSSUTIL3(?), ref: 6C782963
                                                                                                                                                                                                          • Part of subcall function 6C7828E0: PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6C78297B
                                                                                                                                                                                                          • Part of subcall function 6C7828E0: PORT_Free_Util.NSSUTIL3(00000000), ref: 6C782A2F
                                                                                                                                                                                                          • Part of subcall function 6C7828E0: PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C782A3C
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000,?,?,?,6C789EA0,00000000,?), ref: 6C789C6C
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C789C7A
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_Free_Strdup_$Alloc_R_smprintfR_smprintf_free
                                                                                                                                                                                                        • String ID: %s/%s$`syl
                                                                                                                                                                                                        • API String ID: 3018829212-1352401246
                                                                                                                                                                                                        • Opcode ID: 7641f0d3902970b09ed382a0741b1538fb67cd157adbbee5f0a1894b383e921e
                                                                                                                                                                                                        • Instruction ID: 9a44cbf4224b9038df1f041cf0565be778c3c74d568f8b2aef6745c661acfbd0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7641f0d3902970b09ed382a0741b1538fb67cd157adbbee5f0a1894b383e921e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0701F5B35062106FD6009B69EE899CB77ECEF85269F154575FE05E3700D7219D0486B2
                                                                                                                                                                                                        Function 6C74CDB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: isdigitislowerisuppertoupper
                                                                                                                                                                                                        • String ID: $
                                                                                                                                                                                                        • API String ID: 2941871354-3993045852
                                                                                                                                                                                                        • Opcode ID: 061f65b3757e87bac6109674207fa0562fe0bd545610fb596efdb1ef2b500476
                                                                                                                                                                                                        • Instruction ID: 783172e5868dedaf0411162ec91caf8634ce0304be947c579fdd3501e0b1371b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 061f65b3757e87bac6109674207fa0562fe0bd545610fb596efdb1ef2b500476
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F501F730945135D7EA10FB19DB85AAF77EC6F02346F208939E899C2840D734EA5CCAD3
                                                                                                                                                                                                        Function 6C7419A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45memorystringCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,00000000,?,00000000,00000000,6C74169B,?), ref: 6C7419BD
                                                                                                                                                                                                        • strncmp.MSVCR120 ref: 6C7419D9
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?,6C74160F,00000000), ref: 6C7419EB
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Alloc_Utilmemcpystrncmp
                                                                                                                                                                                                        • String ID: .chk$.dll
                                                                                                                                                                                                        • API String ID: 93268641-2651466801
                                                                                                                                                                                                        • Opcode ID: bde0327eb4c8c28b880610583f0d38770054802a5b3706ad5745458a78e7714f
                                                                                                                                                                                                        • Instruction ID: dcac98be1fac6711511833bc54324ca1d0a1de39b787283b541ab36b6d3dd988
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bde0327eb4c8c28b880610583f0d38770054802a5b3706ad5745458a78e7714f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A8012B311043556BC720DF55D984AD3BFB8DE02248709457AEC85D7B05DA21E91DD760
                                                                                                                                                                                                        Function 6C789CB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_smprintf.NSPR4(%scert%s.db,?,6C797360), ref: 6C789CEF
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6C789D00
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000,00000000), ref: 6C789D08
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: R_smprintfR_smprintf_freeStrdup_Util
                                                                                                                                                                                                        • String ID: %scert%s.db$`syl
                                                                                                                                                                                                        • API String ID: 3824127947-2791073291
                                                                                                                                                                                                        • Opcode ID: d1f329c00306e856291f387a8080bb17efc70ca1dcba3e989fcb9cefef5af0fc
                                                                                                                                                                                                        • Instruction ID: bfe458a47ec47b7053ee1e2d4a69df62137176ccae12d508a849b14ec21505a9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1f329c00306e856291f387a8080bb17efc70ca1dcba3e989fcb9cefef5af0fc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0F02732309940A78E0049BCFF0740E7AA4BB93265B104233FA24CEB25D122CD41C36A
                                                                                                                                                                                                        Function 6C789EA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_smprintf.NSPR4(%skey%s.db,?,6C7973A8), ref: 6C789ED4
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6C789EE5
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000,00000000), ref: 6C789EED
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: R_smprintfR_smprintf_freeStrdup_Util
                                                                                                                                                                                                        • String ID: %skey%s.db$`syl
                                                                                                                                                                                                        • API String ID: 3824127947-1936835002
                                                                                                                                                                                                        • Opcode ID: a4968ba23ebe3718fed153456bb60ceb52b73d52b274c5439745d66af7f2a502
                                                                                                                                                                                                        • Instruction ID: 6d03cc843058adfa27dafbfc00f3163b409f1ecd3ed1ce45c55dc66930ea547f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4968ba23ebe3718fed153456bb60ceb52b73d52b274c5439745d66af7f2a502
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5F0E52331A501E74A1009AD7F4B8972E6C9BE22797404A32FA68DAF18E920C8418372
                                                                                                                                                                                                        Function 6C73C660 Relevance: 7.9, APIs: 5, Instructions: 390COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C73C6E3
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000000), ref: 6C73C709
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE00A), ref: 6C73CABC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73CB64
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73CB76
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Utilmemset$memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3851370324-0
                                                                                                                                                                                                        • Opcode ID: a90092498c8b1acfa7a87d014ac93291bd82fa237681bca64e2cdd4f5eb29394
                                                                                                                                                                                                        • Instruction ID: 8c0ddd5563a83ce0703c0194fc21d6baf21a507b5afc34f8f662b25b84c0a552
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a90092498c8b1acfa7a87d014ac93291bd82fa237681bca64e2cdd4f5eb29394
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64D17373C0572557C720EAA0CA48BDFB3DCAB54654F084A2AE999D7701E735E90C87E2
                                                                                                                                                                                                        Function 6C73CF40 Relevance: 7.8, APIs: 5, Instructions: 344COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C73CFCE
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000000,?,?,?,00000000), ref: 6C73CFF8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6C73D37D
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,00000000), ref: 6C73D392
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,0000000A,?,00000000), ref: 6C73D3A4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Utilmemset$memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3851370324-0
                                                                                                                                                                                                        • Opcode ID: db39786a5067de00fbadc7a288497e59a4442689cddc674887a9909c5e468926
                                                                                                                                                                                                        • Instruction ID: 7d5d5467c6f2d01619b15a8ff87165b5a4e36cae8e3f6c7fb438367a0831c714
                                                                                                                                                                                                        • Opcode Fuzzy Hash: db39786a5067de00fbadc7a288497e59a4442689cddc674887a9909c5e468926
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72C19272C057259BC720DBA4CA48BCFB7ECAF54614F048A29ED98D7701E734D9188BE2
                                                                                                                                                                                                        Function 6C7E6D29 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 331COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7E6D93
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?), ref: 6C7E6E8A
                                                                                                                                                                                                          • Part of subcall function 6C7FA420: memset.MSVCR120 ref: 6C7FA467
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?), ref: 6C7E6FF1
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • statement too long, xrefs: 6C7E6E16
                                                                                                                                                                                                        • database schema is locked: %s, xrefs: 6C7E6E59
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpymemset
                                                                                                                                                                                                        • String ID: database schema is locked: %s$statement too long
                                                                                                                                                                                                        • API String ID: 1297977491-388537643
                                                                                                                                                                                                        • Opcode ID: 0db11c1c266e8f0d8c5483ce12e4ae3fae7ff82bd54383a0eba4e989c19f17d7
                                                                                                                                                                                                        • Instruction ID: a9b280566c017e8f34103a35c13aff9466b2cee03b37140b9eb2329870bda498
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0db11c1c266e8f0d8c5483ce12e4ae3fae7ff82bd54383a0eba4e989c19f17d7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4B1F67160474AABD710CF24DA88B67B7E8EF4930CF14053CE95486B82E735FA59C7A2
                                                                                                                                                                                                        Function 6C787DD0 Relevance: 7.8, APIs: 5, Instructions: 328memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,6C7875A7,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C787DD6
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,000000B0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C787DF9
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C787E09
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1390973725-0
                                                                                                                                                                                                        • Opcode ID: 04a9daa9fccbc7ec68965445ee729044863bef642074fb54b15d16b6806700d6
                                                                                                                                                                                                        • Instruction ID: 0878b95b7c7f99da7d3a52cda2cbcb616e79fcf29b427fce98ce7b2466b220d8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04a9daa9fccbc7ec68965445ee729044863bef642074fb54b15d16b6806700d6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0A1397290521A7BD3119A61CE05F9773ECFB047A8F090239FE44A6641E73AED2487E2
                                                                                                                                                                                                        Function 6C7C9F50 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 249COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • %r ORDER BY term does not match any column in the result set, xrefs: 6C7CA1FF
                                                                                                                                                                                                        • %r %s BY term out of range - should be between 1 and %d, xrefs: 6C7CA0AD
                                                                                                                                                                                                        • ORDER, xrefs: 6C7CA0A7
                                                                                                                                                                                                        • too many terms in ORDER BY clause, xrefs: 6C7C9F7B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: %r %s BY term out of range - should be between 1 and %d$%r ORDER BY term does not match any column in the result set$ORDER$too many terms in ORDER BY clause
                                                                                                                                                                                                        • API String ID: 0-3892209816
                                                                                                                                                                                                        • Opcode ID: 6a63f416119b33c717d5357ab34917874cde868afaa56804960bc6d84c0a2a70
                                                                                                                                                                                                        • Instruction ID: 7599c67ff1567740c2fc35840c91c0365fc83c4eee38b75781f2eee4d2d05685
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a63f416119b33c717d5357ab34917874cde868afaa56804960bc6d84c0a2a70
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D81B0716086029FD710CF29CE80B5ABBF4FF85369F584A69F88497B51E331E845CB92
                                                                                                                                                                                                        Function 6C78C350 Relevance: 7.7, APIs: 5, Instructions: 210memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaStrdup_Util.NSSUTIL3(00000001,?,00000000,?), ref: 6C78C372
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000001,00000001,00000000,?,00000000,?), ref: 6C78C399
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000001,00000001,00000001,00000001,00000000,?,00000000,?), ref: 6C78C3A8
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000001,?,?,00000000,?,00000000,?), ref: 6C78C4DC
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(00000001,?,?,?,?,?,00000000,?,00000000,?), ref: 6C78C4FC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena$Alloc_CopyItem_$Strdup_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1024836196-0
                                                                                                                                                                                                        • Opcode ID: 31a7bec0450de0a9d19674f21f86d41490f02bce020c5f280fb4d84aaa885d17
                                                                                                                                                                                                        • Instruction ID: a1ea115e81ce18ed423ebb538974e4d1f7f883f6c38231ddb54e98e5db530772
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31a7bec0450de0a9d19674f21f86d41490f02bce020c5f280fb4d84aaa885d17
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0B816BB59053069FC710DF28C980A5ABBE4FF48318F148B7DE99897B12E731EA15CB91
                                                                                                                                                                                                        Function 6C7A4DF0 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 198COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,00000000), ref: 6C7A4EB1
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpy
                                                                                                                                                                                                        • String ID: %s%.*s"%w"$%s%s$f$string or blob too big
                                                                                                                                                                                                        • API String ID: 3510742995-1241264022
                                                                                                                                                                                                        • Opcode ID: aaaf69c1566d5ca7a8d3b3ce066718c8f3115a0917c61de7a60c44cb902b7bff
                                                                                                                                                                                                        • Instruction ID: 5e370fd8c477e564ee111737ae2e053e5527b40a8dd0296c53dae7147ec6c846
                                                                                                                                                                                                        • Opcode Fuzzy Hash: aaaf69c1566d5ca7a8d3b3ce066718c8f3115a0917c61de7a60c44cb902b7bff
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05618BB16083006FD3118F65DE44A2BBBE8EF4934CF541628F88497B02D732E916DBE2
                                                                                                                                                                                                        Function 6C7575E0 Relevance: 7.7, APIs: 5, Instructions: 184memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C757635
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000140,?), ref: 6C757655
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C75779A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Error_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1799102543-0
                                                                                                                                                                                                        • Opcode ID: 3f9fa43c7d05277b04f9385c5cb33831f5b2dd94a9fa7ddb675d9e9e2ea4bd9f
                                                                                                                                                                                                        • Instruction ID: a43f52d04de1122c24ae55a3cf4bf063767db14ce269089df6de06f88570d912
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f9fa43c7d05277b04f9385c5cb33831f5b2dd94a9fa7ddb675d9e9e2ea4bd9f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1716071914704AFD301DF28C945AEBB7E8BF4C304F448A2DF9A992251EB30E655CB92
                                                                                                                                                                                                        Function 6C736E90 Relevance: 7.7, APIs: 5, Instructions: 173COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C736FFF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C737016
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C73702D
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C737044
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73706A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: be69f6371d9880aba71b1245807497c64e0eee739d22662861a077f960c759eb
                                                                                                                                                                                                        • Instruction ID: 41875b1f12072b1f77ed1a1b6d1391f80aa36f3253ab9a1ace24cc4454a9f114
                                                                                                                                                                                                        • Opcode Fuzzy Hash: be69f6371d9880aba71b1245807497c64e0eee739d22662861a077f960c759eb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 234105B3D0532557D7009AA49E48BDFB79CEB80624F480636EE18D7711E72ADA0C53E3
                                                                                                                                                                                                        Function 6C7A5D20 Relevance: 7.7, APIs: 5, Instructions: 153COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_value_blob.SQLITE3(?), ref: 6C7A5DBB
                                                                                                                                                                                                        • sqlite3_value_blob.SQLITE3(?,?), ref: 6C7A5DC5
                                                                                                                                                                                                        • sqlite3_result_int.SQLITE3(?,00000000), ref: 6C7A5E78
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_value_blob$sqlite3_result_int
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 730619900-0
                                                                                                                                                                                                        • Opcode ID: 9bb20db5052273b930fd7bd8d29c4de81b2108a7269eddff60550bf1ed6265ae
                                                                                                                                                                                                        • Instruction ID: 15233503b1e1868cfaf50b0ef0be7fba71cff1cb76f3be6dcd92d5f7bb84b331
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bb20db5052273b930fd7bd8d29c4de81b2108a7269eddff60550bf1ed6265ae
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1741887210DA805FD7504FA0BE8436AB7E5EF0531DF580B38E9A49AF41D321E91BCB91
                                                                                                                                                                                                        Function 6C782680 Relevance: 7.6, APIs: 5, Instructions: 131memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C78AEE0: PORT_NewArena_Util.NSSUTIL3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,?,6C78269E,?), ref: 6C78AEE9
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C782753
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,00000000), ref: 6C782770
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C782787
                                                                                                                                                                                                        • memcpy.MSVCR120(00000001,?,?), ref: 6C7827A1
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,00000000,?), ref: 6C7827C8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Arena_Free_LockUnlockmemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1913051495-0
                                                                                                                                                                                                        • Opcode ID: 95afad73527f40a0c793562fb1dc659cba7f4645c92ac87d2640a0b718a1a252
                                                                                                                                                                                                        • Instruction ID: 3085274be5eee11ab3e5e8aa372bae9c9827ad17c1dd3f201297306e9d464faa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95afad73527f40a0c793562fb1dc659cba7f4645c92ac87d2640a0b718a1a252
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63417975609301AFCB04CF28C988A5BB7F8BF88318F00896DF99997711D730EA44CB92
                                                                                                                                                                                                        Function 6C73B6F0 Relevance: 7.6, APIs: 5, Instructions: 125COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C73B785
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,?), ref: 6C73B7A9
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?), ref: 6C73B7CC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: 94507466833b08131d0fcf8d064edfc03fff01d887f76446a2dc89052ac2e680
                                                                                                                                                                                                        • Instruction ID: ab0e68cc691c63e43c26c2f65b227ac50a52ac6f7797b1226fa61a7034b90116
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94507466833b08131d0fcf8d064edfc03fff01d887f76446a2dc89052ac2e680
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9311D72A043104BC600977D9D4966EBBD0EF89278F95073AE95D867D1EB12951C82C3
                                                                                                                                                                                                        Function 6C728B10 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memset$Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1471373525-0
                                                                                                                                                                                                        • Opcode ID: 50932dc38d7d2cd045a5654d339a7227a3724cc415e745f8fdedfcc8c1b939d2
                                                                                                                                                                                                        • Instruction ID: 45784c497aab554675dc2aadcfcd40cab386667645888b03b91e16d99224c273
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 50932dc38d7d2cd045a5654d339a7227a3724cc415e745f8fdedfcc8c1b939d2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6841DE722043408FDB04DF58C985B2ABBE0FF88314F44456DF6698F281DB36E915CBA2
                                                                                                                                                                                                        Function 6C78B8B0 Relevance: 7.6, APIs: 5, Instructions: 111timeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6C78B8E1
                                                                                                                                                                                                        • DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6C78B8FB
                                                                                                                                                                                                        • DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6C78B939
                                                                                                                                                                                                        • DER_DecodeTimeChoice_Util.NSSUTIL3(?,?), ref: 6C78B953
                                                                                                                                                                                                        • PR_Now.NSPR4(00000000), ref: 6C78B9B4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Choice_DecodeTimeUtil
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2662528191-0
                                                                                                                                                                                                        • Opcode ID: e60f98a39413a6bf779922aed624f4c42a18e16b4c262c9a647d52e1bfddaabf
                                                                                                                                                                                                        • Instruction ID: 12d94f60de474ca4ee59e75692bad0af6ecfffab5eaa26ef4d1d52f10d8956a1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e60f98a39413a6bf779922aed624f4c42a18e16b4c262c9a647d52e1bfddaabf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A31737290A215DBD700DAA5CE85A8B7BE8EF84309F44097AFA84C2610F335F608C793
                                                                                                                                                                                                        Function 6C757860 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6C7578A3
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C7578D0
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 4f054508e5ed63c9c8e31bc8b57af95f8c2e6c89bb4d185d16e7642008401089
                                                                                                                                                                                                        • Instruction ID: dbc221ab50d4e6cfbf5068d2faaecb94a05f1bb7d0a54cd52fb26d8e9dd31da0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f054508e5ed63c9c8e31bc8b57af95f8c2e6c89bb4d185d16e7642008401089
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB31E4B2A042105BC711EF29CC49BEEBBE8EF88225F840629F559C6790DB319218C7D2
                                                                                                                                                                                                        Function 6C72CCD0 Relevance: 7.6, APIs: 5, Instructions: 98memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,00000000,00000000,?,6C76E4C2), ref: 6C72CD31
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,00000000,00000000,?,6C76E4C2), ref: 6C72CD49
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F,00000000,?,6C76E4C2), ref: 6C72CD5B
                                                                                                                                                                                                          • Part of subcall function 6C721320: SystemFunction036.ADVAPI32(?,?,6C72CD21,?,00000037,00000000,00000000,?,6C76E4C2), ref: 6C721328
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C72CD9E
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C72CDDA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Error_Free_Function036Systemmemcpymemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1329885872-0
                                                                                                                                                                                                        • Opcode ID: 5ec332b38d842c4bd8e77e7f9a910fe13aeb806c2bcb000eee653fc057d88aa1
                                                                                                                                                                                                        • Instruction ID: b7fa4ab885370cf2f1ae9fecfd0baa44209f19664d3634357d06383227e99dab
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ec332b38d842c4bd8e77e7f9a910fe13aeb806c2bcb000eee653fc057d88aa1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D310471904354ABE731EB64CD45BDB7BE8AF99344F400829F988D7780EB74E60887A3
                                                                                                                                                                                                        Function 6C7490C0 Relevance: 7.6, APIs: 6, Instructions: 97COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7490FE
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,?,00000000,?,?,?,?,?,6C74CF0F,?,?), ref: 6C749110
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpymemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1297977491-0
                                                                                                                                                                                                        • Opcode ID: a7ac7ae108e989b11077190fce867164d1960e6cd065c71d8758bdcac606d975
                                                                                                                                                                                                        • Instruction ID: 4cf35f10aab2c6ece37a809db056e9fcc053de79b464365b374ca131f1e15b2b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7ac7ae108e989b11077190fce867164d1960e6cd065c71d8758bdcac606d975
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B3318C76604605AFD720DF2DEA84B96F7E8FF44224B10C92AE568C3A10D731E964CB90
                                                                                                                                                                                                        Function 6C78A240 Relevance: 7.6, APIs: 5, Instructions: 96memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,00000000,00000000,00000000,?,?,00000030,?), ref: 6C78A2AE
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(?,?,?), ref: 6C78A2F1
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000001), ref: 6C78A306
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,00000000,?), ref: 6C78A325
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000001,00000000,00000000,?), ref: 6C78A330
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Item_$Free$AllocError_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 112844579-0
                                                                                                                                                                                                        • Opcode ID: d946cfa9e9451012d7f5e8d3443a409c7a3f5e52885cc8d0c0e68fa133d56f3b
                                                                                                                                                                                                        • Instruction ID: b45c7c6ac93ed72f0b1b6af40a6f7123c4eb1488f11b17e6b1e586eda33242fa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d946cfa9e9451012d7f5e8d3443a409c7a3f5e52885cc8d0c0e68fa133d56f3b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F31E5366052005FDB00DF5CD940A9A73E0EFC4324F54887DFA59C7661E23BDA5D8792
                                                                                                                                                                                                        Function 6C7306C0 Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C7306FF
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000128), ref: 6C730713
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C730726
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,00000128), ref: 6C73079F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C7307BA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3186423673-0
                                                                                                                                                                                                        • Opcode ID: 593545512a22d23e3dbd4d90c0f399c1f385d6d8764157ebf994f83f4ab81864
                                                                                                                                                                                                        • Instruction ID: aef8bde9bc0b30e1f4ddb1852172f4b13750128c0c441344f41aa58c4b24541f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 593545512a22d23e3dbd4d90c0f399c1f385d6d8764157ebf994f83f4ab81864
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA21F8727093745BDB109A2CFE4D79ABBD0EB84359F10123AE94CC6B06E732D5448A82
                                                                                                                                                                                                        Function 6C794809 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _write$_errno_lseekmemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3464734285-0
                                                                                                                                                                                                        • Opcode ID: d9e0ebfd920e6179e9f014b5bdddb6921a36287bcf0337e3f5c88ee7d6fb9a1c
                                                                                                                                                                                                        • Instruction ID: 7cb3f1eecdce98c813856dfe349803297671a032248cdae78e0c35fe4c1255da
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9e0ebfd920e6179e9f014b5bdddb6921a36287bcf0337e3f5c88ee7d6fb9a1c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A8310771A043555BD7109F28EE44B5E77A4AF45318F000A34FA7497B81D330E92997EA
                                                                                                                                                                                                        Function 6C794C80 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _lseek$_writememset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3606952358-0
                                                                                                                                                                                                        • Opcode ID: 43f5aa340dcdde6dbf9acd4a4e38b443a9b1ed644ae16c4efd26acc94a316dfc
                                                                                                                                                                                                        • Instruction ID: ecf95c6294f01d3a14f9ac52ed8f215128eed67ac47af06db5af094668bc1c5c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43f5aa340dcdde6dbf9acd4a4e38b443a9b1ed644ae16c4efd26acc94a316dfc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91217FB3B44A1057D3308918AF86B4BB3B8AB85718F050635FF38A7A81D674980693DA
                                                                                                                                                                                                        Function 6C78C850 Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,00000000,6C78E898,00000000,?,?), ref: 6C78C861
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000001,00000000,00000000,00000000,6C78E898,00000000,?,?), ref: 6C78C8A4
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C78C8BA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_Arena
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 760868617-0
                                                                                                                                                                                                        • Opcode ID: 970e4cf97bdb22bac1160a6753ed4e2be626e8682e19bf187f30cce9b9bc48d1
                                                                                                                                                                                                        • Instruction ID: 0ab49912f97acbff1b8ca1d96ab27e336dd4e16f368188365743e93010d53156
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 970e4cf97bdb22bac1160a6753ed4e2be626e8682e19bf187f30cce9b9bc48d1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F2148315096025FCB049F2AE9145A5BBB1BF82329708837DD96AC7F51D332E65B8BD0
                                                                                                                                                                                                        Function 6C740A50 Relevance: 7.6, APIs: 5, Instructions: 77memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C740A70
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C740A90
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C740AA3
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2938347131-0
                                                                                                                                                                                                        • Opcode ID: 786bbe9799ccdf561cd16b18d7f636a2add1a8c47bb8dffd26f44df78b739367
                                                                                                                                                                                                        • Instruction ID: dd51830dc96a4c2eff9641fa7f60e6c2be64f01ea6b1f5359213b398e5a2355a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 786bbe9799ccdf561cd16b18d7f636a2add1a8c47bb8dffd26f44df78b739367
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76115C726083105FD7019AA9AE48A9FBBA4EFD8239F00033AF61D86750DB55D92883D3
                                                                                                                                                                                                        Function 6C78DA50 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,501275B7,?,00000000,00000000,6C78F6C8,?,00000000,?,?,?,?,?,6C790B41,?,00000000), ref: 6C78DA71
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000,?,?,?,?,?,6C790B41,?,00000000), ref: 6C78DA87
                                                                                                                                                                                                        • memcpy.MSVCR120(00000009,2D75C085,0824448D,00000000,?,?,?,?,?,6C790B41,?,00000000), ref: 6C78DAD0
                                                                                                                                                                                                        • memcpy.MSVCR120(08244484,FF575018,E8302474,?,?,?,00000000,?,?,?,?,?,6C790B41,?,00000000), ref: 6C78DAEC
                                                                                                                                                                                                        • memcpy.MSVCR120(E8302474,8510C483,501275C0,08244484,FF575018,E8302474,?,?,?,00000000,?,?,?,?,?,6C790B41), ref: 6C78DB03
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpy$Util$Alloc_ArenaError_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2107776439-0
                                                                                                                                                                                                        • Opcode ID: 9c7ef480f38525f50a77ce053f9dc73098a9e39d0c90f6180f373bf1d844e207
                                                                                                                                                                                                        • Instruction ID: 53396f6f6e12f849227b69d391c1c63cf6efc78385bd60955ad2249504365fa0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c7ef480f38525f50a77ce053f9dc73098a9e39d0c90f6180f373bf1d844e207
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76217172505646AFCB01CFA9CD84851BBB4BF652147088266E958CBF02D324E979CBE1
                                                                                                                                                                                                        Function 6C782340 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3 ref: 6C782395
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000000,?,6C797288,00000000), ref: 6C7823B6
                                                                                                                                                                                                        • SECOID_SetAlgorithmID_Util.NSSUTIL3(00000000,?,?,00000000,?,?,?,?,00000000), ref: 6C7823CD
                                                                                                                                                                                                        • SEC_ASN1EncodeItem_Util.NSSUTIL3(00000000,00000000,?,6C7972C8,?,?,?,?,?,?,?,?,00000000), ref: 6C7823E7
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,00000000), ref: 6C7823F4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_EncodeItem_$AlgorithmFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 938771812-0
                                                                                                                                                                                                        • Opcode ID: 1d56dffa10f79c1e0ccb1d4d2877d3851d43566872f4660fa5a317eea4a734fd
                                                                                                                                                                                                        • Instruction ID: 1c2120131c514fd253f8b588fa722639ea496a8a14353dce502f137b92d89320
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d56dffa10f79c1e0ccb1d4d2877d3851d43566872f4660fa5a317eea4a734fd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D215E759043005FE300CB19D944BABB7E4EF85358F44896DFA98D7340E772DA098B93
                                                                                                                                                                                                        Function 6C78F5E0 Relevance: 7.6, APIs: 5, Instructions: 67memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78F5EA
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,-00000005,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78F60C
                                                                                                                                                                                                        • memcpy.MSVCR120(00000005,?,00000000,?,?,00000000), ref: 6C78F637
                                                                                                                                                                                                          • Part of subcall function 6C78D9F0: PORT_ArenaAlloc_Util.NSSUTIL3(?,?,00000000,?,6C78D2D3,?,00000000,?), ref: 6C78DA1B
                                                                                                                                                                                                          • Part of subcall function 6C78D9F0: memcpy.MSVCR120(00000001,?,?,00000000,?), ref: 6C78DA31
                                                                                                                                                                                                          • Part of subcall function 6C78F520: PR_Lock.NSPR4(?,00000000,?,?,?,?,00000000,00000009,00000000,00000003,?,?,?,?,6C790DFF,?), ref: 6C78F571
                                                                                                                                                                                                          • Part of subcall function 6C78F520: PR_Unlock.NSPR4(?,?,?,6C790DFF,?,00000000,00000000), ref: 6C78F591
                                                                                                                                                                                                          • Part of subcall function 6C78F520: PR_Lock.NSPR4 ref: 6C78F5A6
                                                                                                                                                                                                          • Part of subcall function 6C78F520: PR_Unlock.NSPR4 ref: 6C78F5BC
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C78F66E
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,00000000), ref: 6C78F681
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$Alloc_ArenaFreeLockUnlockmemcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2452498693-0
                                                                                                                                                                                                        • Opcode ID: df5c40a1b35f32d17c841d2d55570a0de3378f191ec4076643a2f8d1f773addc
                                                                                                                                                                                                        • Instruction ID: c00ea73b9d8940646823d940c9424cca31509542b78fe03023caecd54e61d536
                                                                                                                                                                                                        • Opcode Fuzzy Hash: df5c40a1b35f32d17c841d2d55570a0de3378f191ec4076643a2f8d1f773addc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1112B759051017BD2009B689D08DDBBBA9BF90218F484779FE4486721F721D66D87E2
                                                                                                                                                                                                        Function 6C78BA70 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,00000000,?,?,6C78BA60,?,?,?,?), ref: 6C78BA8F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004,?,00000000,?,?,6C78BA60,?,?,?,?), ref: 6C78BAAC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: c4ad458aab95ed784dd444c5d12bd63cced3b7a8cc94a0efb0bc10a70338d874
                                                                                                                                                                                                        • Instruction ID: 68669a4fcb3dc6c1ac272ecd200e8290e798856e4927783e940aabacd5b814d4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4ad458aab95ed784dd444c5d12bd63cced3b7a8cc94a0efb0bc10a70338d874
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A11E977A011116BCA009AADED48886FB54EF802357044772FB2CD6B50D732E56897E1
                                                                                                                                                                                                        Function 6C78D390 Relevance: 7.6, APIs: 5, Instructions: 58memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,?,6C790CCF,?,?,?,?,?,00000000,?,6C78F389,?,?,6C78F389), ref: 6C78D39B
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000001,?,6C790CCF,?,?,?,?,?,00000000,?,6C78F389,?,?,6C78F389), ref: 6C78D3BE
                                                                                                                                                                                                        • memcpy.MSVCR120(00000001,?,00000000,?,?,?,6C790CCF,?,?,?,?,?,00000000,?,6C78F389,?), ref: 6C78D3DA
                                                                                                                                                                                                          • Part of subcall function 6C78D1F0: PR_Lock.NSPR4(6C78F389,00000000,00000006,?,?,?,?,?,6C790B0B,?,6C78F389), ref: 6C78D219
                                                                                                                                                                                                          • Part of subcall function 6C78D1F0: PR_Unlock.NSPR4(?,?,?,?,6C790B0B,?,6C78F389,?,?,?,?,?,?,?), ref: 6C78D234
                                                                                                                                                                                                          • Part of subcall function 6C78D1F0: PR_Lock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C78F389), ref: 6C78D251
                                                                                                                                                                                                          • Part of subcall function 6C78D1F0: PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C78F389), ref: 6C78D267
                                                                                                                                                                                                          • Part of subcall function 6C78D1F0: PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C78D279
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,6C790CCF,?,?), ref: 6C78D3FD
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,6C790CCF,?,?,?,?,?,00000000,?,6C78F389,?,?,6C78F389), ref: 6C78D411
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$FreeLockUnlock$Alloc_ArenaError_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3051677353-0
                                                                                                                                                                                                        • Opcode ID: a945776f8070245a06d6130097de76327c7265d447a5cb1c69da232628be547a
                                                                                                                                                                                                        • Instruction ID: b064198d66318bb34c259296161a5726bd2b4a439cabfdc905cec9aa912afc69
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a945776f8070245a06d6130097de76327c7265d447a5cb1c69da232628be547a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71016D758012126BD6519A64BE44F9A7789DF80638F540732FE38D6790E315EB2E43F3
                                                                                                                                                                                                        Function 6C781B20 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECOID_FindOIDByTag_Util.NSSUTIL3(00000000,?,?,00000000,6C78303F,00000000,00000018,00000006,?), ref: 6C781B27
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C781B53
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C781B5D
                                                                                                                                                                                                        • memcpy.MSVCR120(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C781B7E
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,00000000,00000001,?,?,?,?), ref: 6C781B91
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_memcpy$ArenaFindTag_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3180307628-0
                                                                                                                                                                                                        • Opcode ID: 3cf45885359b9e6eae64d596104689858a2fd2b118670089949d2ee5c391af08
                                                                                                                                                                                                        • Instruction ID: 3024beacb2c713bf44a04adb0c2a6281dedbf999a4f4d3322e70b7b08225d753
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cf45885359b9e6eae64d596104689858a2fd2b118670089949d2ee5c391af08
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94012BB9502B016BCB01DF64DE84867FBA1EF842307048A39E9B9C7B10E731E925C7A1
                                                                                                                                                                                                        Function 6C78D1F0 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(6C78F389,00000000,00000006,?,?,?,?,?,6C790B0B,?,6C78F389), ref: 6C78D219
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,6C790B0B,?,6C78F389,?,?,?,?,?,?,?), ref: 6C78D234
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C78F389), ref: 6C78D251
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,6C78F389), ref: 6C78D267
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C78D279
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock$Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 855844629-0
                                                                                                                                                                                                        • Opcode ID: 34b8a47a04d8b980342d35023fa6cb0dccb1993a00336200574d613e3608cd81
                                                                                                                                                                                                        • Instruction ID: 9f3cf5a2c33b7ade972d6268b0c04633a6cbf08f4b4ff1069128fe667facaf58
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34b8a47a04d8b980342d35023fa6cb0dccb1993a00336200574d613e3608cd81
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE11E036A092119FCB01DF6DDD04A8A7BF0AF9A211F040575FD6893310D331D91ECBA2
                                                                                                                                                                                                        Function 6C738910 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800), ref: 6C738916
                                                                                                                                                                                                        • PORT_ArenaZAlloc_Util.NSSUTIL3(00000000,00000084), ref: 6C738930
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(00000000,00000068,?), ref: 6C73894B
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,00000000,00000068,?), ref: 6C738959
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000001), ref: 6C738972
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_$AllocAlloc_ArenaFreeItem_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2079189473-0
                                                                                                                                                                                                        • Opcode ID: a0ae47dd85403e8a1d3e4a5aa0fe845de7c91ecc458fef91c429e3824dd04462
                                                                                                                                                                                                        • Instruction ID: ce9059f6639f01e5c510d543e98b32d722cc97a8213821b65cea74642cb13a6c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0ae47dd85403e8a1d3e4a5aa0fe845de7c91ecc458fef91c429e3824dd04462
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 640126321087112BD6015A68BD8AFAB7AE8AF86338F040726F564D6AD0DB7198959362
                                                                                                                                                                                                        Function 6C78E3A0 Relevance: 7.5, APIs: 5, Instructions: 37memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_NewArena_Util.NSSUTIL3(00000800,?,6C790DDA,00000000,?,00000000), ref: 6C78E3A6
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000), ref: 6C78E3B9
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000010,00000000), ref: 6C78E3C8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,00000000), ref: 6C78E3DB
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,FFFFE013,?,?,00000000), ref: 6C78E3E3
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_Error_$Alloc_ArenaFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2983971270-0
                                                                                                                                                                                                        • Opcode ID: e8e95569be7bfab849a89bc311605c1441ae8f4753e8d04356a07812568e2fcf
                                                                                                                                                                                                        • Instruction ID: 14775de61281311dfc88db7547125e1a3186a81bad8018f8b91683b1ced89d83
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8e95569be7bfab849a89bc311605c1441ae8f4753e8d04356a07812568e2fcf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02F0E970A4922117E7E056A4BD087CA35805F40218F158278F90CDAB50E76E9B4B47D2
                                                                                                                                                                                                        Function 6C739120 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(?,00000000), ref: 6C739132
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000), ref: 6C739140
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,00000000), ref: 6C73914B
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,00000000,?,00000000), ref: 6C739156
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,00000000,?,00000000,?,00000000), ref: 6C73915C
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free$Item_$Arena_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2810683504-0
                                                                                                                                                                                                        • Opcode ID: 114de7c4022860d8464bd7f179bc482c577c8aaa45846cbab3e403e0a8927b95
                                                                                                                                                                                                        • Instruction ID: caec40cc13ed49f0884f682b8bad79f78732007e0db742736ac05050704986c6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 114de7c4022860d8464bd7f179bc482c577c8aaa45846cbab3e403e0a8927b95
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52E09272D01B3066DA60FAA4AE4EFCB679C1F0D605F840855B944EBA40EF20F55886A0
                                                                                                                                                                                                        Function 6C794EE0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 269COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • HASH: Out of overflow pages. Increase page size, xrefs: 6C795111
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _read_writefreemalloc
                                                                                                                                                                                                        • String ID: HASH: Out of overflow pages. Increase page size
                                                                                                                                                                                                        • API String ID: 3772666184-285455680
                                                                                                                                                                                                        • Opcode ID: 08ed3731bbb97f1ccf88ba5f69fa83fc1fa819d5a57c3d4277a751df850c2410
                                                                                                                                                                                                        • Instruction ID: 6c26adc93c2c7f47b8767cc73af4ce70e1c2950a09a3ef5b512af257cfa50059
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08ed3731bbb97f1ccf88ba5f69fa83fc1fa819d5a57c3d4277a751df850c2410
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E09108726046229BD715CE2CF9806A6B3E1FB84325F544739E96AC7A90E731F526CBC0
                                                                                                                                                                                                        Function 6C7EF7FA Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?,?,?), ref: 6C7EFA63
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free
                                                                                                                                                                                                        • String ID: (NULL)$NULL$NaN
                                                                                                                                                                                                        • API String ID: 2313487548-2613287491
                                                                                                                                                                                                        • Opcode ID: a45c87e9106d0a2e3dd225f7000280584356bc82fd8671de55ba312e2031c915
                                                                                                                                                                                                        • Instruction ID: 0d8704a2888442ba96e96afb0ff24436896235bab9018e03ab9d345a8e9e5788
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a45c87e9106d0a2e3dd225f7000280584356bc82fd8671de55ba312e2031c915
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5851F132A093828FD7118F19EA8474BBFE1AF8A358F14097DE8D193E54C735D859CB92
                                                                                                                                                                                                        Function 6C790FF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6C791010
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,6C797360,00000000,00000002,00000000), ref: 6C791080
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_Strdup_
                                                                                                                                                                                                        • String ID: .db
                                                                                                                                                                                                        • API String ID: 2055704692-1874795567
                                                                                                                                                                                                        • Opcode ID: 9e9520386b16087e3cc8c953138facef808cd1bcfa90e9af87050974a3dc71c7
                                                                                                                                                                                                        • Instruction ID: bc67cbc2fdace6e01fd1956adbd4fdc15e8d1d49f9094df4a8ef208d1d305e0a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e9520386b16087e3cc8c953138facef808cd1bcfa90e9af87050974a3dc71c7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68417672A4460027D3008668AE85FDB73ED9F817A8F480774F955D7781E72BDA2D83E2
                                                                                                                                                                                                        Function 6C7A2A00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?,00000D0A,00000000,winAccess,?,00008547), ref: 6C7A2B62
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • delayed %dms for lock/sharing conflict, xrefs: 6C7A2B2C
                                                                                                                                                                                                        • winAccess, xrefs: 6C7A2B4E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free
                                                                                                                                                                                                        • String ID: delayed %dms for lock/sharing conflict$winAccess
                                                                                                                                                                                                        • API String ID: 2313487548-1182425617
                                                                                                                                                                                                        • Opcode ID: cf2632b79bdc021ca17296ed361f55fcf0479fb8a1946a3097e4156c5ed13d98
                                                                                                                                                                                                        • Instruction ID: c9db276e0a8bc192c772f32db09dde6c0706409a5ce9027133b3c82407af7d1b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf2632b79bdc021ca17296ed361f55fcf0479fb8a1946a3097e4156c5ed13d98
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2751D6716043029FC720DFAA8A8975AB7F0AB89318F450B3EE85DD3A50E734D446CB52
                                                                                                                                                                                                        Function 6C7832C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,00000000,00000000,00000180,00000001,00000000), ref: 6C7833B3
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C7833E3
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C7833F4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free_LockUnlockUtil
                                                                                                                                                                                                        • String ID: key
                                                                                                                                                                                                        • API String ID: 3093347579-2324736937
                                                                                                                                                                                                        • Opcode ID: 60be4c2ac2d368cb00768bc4cb3fbfbe3aea7adca3789437534d1f7f2d7c4a54
                                                                                                                                                                                                        • Instruction ID: 276cc3586956865ad6febc6a717923cd9c0d815f66e81d3027e658614888191a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60be4c2ac2d368cb00768bc4cb3fbfbe3aea7adca3789437534d1f7f2d7c4a54
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E414B7290322077EB112A389E4DF9F72E49F41B29F144135FF06BBB81DB65D91982D2
                                                                                                                                                                                                        Function 6C7C0DF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C7B6A60: __allrem.LIBCMT ref: 6C7B6A93
                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C7C0ED6
                                                                                                                                                                                                        • _localtime64_s.MSVCR120 ref: 6C7C0F02
                                                                                                                                                                                                        • memcpy.MSVCR120(?,local time unavailable,00000001,000007D0,000003E8,00000000,?,00000001,?), ref: 6C7C0FCE
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@_localtime64_smemcpy
                                                                                                                                                                                                        • String ID: local time unavailable
                                                                                                                                                                                                        • API String ID: 3465394515-3313036412
                                                                                                                                                                                                        • Opcode ID: 1e3a12ae7e8d10be5cb6bfa3977805b839194be2c6e2eaafdcb63783dff9e931
                                                                                                                                                                                                        • Instruction ID: 3f97d9155f8559ae26af127f2e3027214f380839336fa49bebb066ac76cce746
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e3a12ae7e8d10be5cb6bfa3977805b839194be2c6e2eaafdcb63783dff9e931
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE5136B1A083418FD710CF29CA84B5BBBE4BF88348F40492EF594D7640E775E9888B92
                                                                                                                                                                                                        Function 6C7AA6E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memcpy.MSVCR120(?,ESCAPE expression must be a single character,00000001), ref: 6C7AA79B
                                                                                                                                                                                                        • sqlite3_result_int.SQLITE3(?,00000000,?,?,?,00000000), ref: 6C7AA864
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • LIKE or GLOB pattern too complex, xrefs: 6C7AA793
                                                                                                                                                                                                        • ESCAPE expression must be a single character, xrefs: 6C7AA82A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpysqlite3_result_int
                                                                                                                                                                                                        • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                                                                                                                                        • API String ID: 1835405071-264706735
                                                                                                                                                                                                        • Opcode ID: 75b8d828132a6b5445712c862944413f92b7f8b11e14d47f3b9dd1e70ecace32
                                                                                                                                                                                                        • Instruction ID: 950f1db1690c7799edd125bd390aa21c831ac53627666039659f1fd116c2d630
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75b8d828132a6b5445712c862944413f92b7f8b11e14d47f3b9dd1e70ecace32
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C641E4B1A017019BE7118E66DE84B57B7A8AB00368F100A39F8559BB41E321E94BCFA1
                                                                                                                                                                                                        Function 6C791190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000), ref: 6C7911B0
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,6C797360,00000000,00000002,00000000), ref: 6C791220
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_Strdup_
                                                                                                                                                                                                        • String ID: .db
                                                                                                                                                                                                        • API String ID: 2055704692-1874795567
                                                                                                                                                                                                        • Opcode ID: fd4e6b51eb296c2d3e026a418ed29d83b7f7a4285553b7577592ae7625613ede
                                                                                                                                                                                                        • Instruction ID: e3decec11a8ea4ffb8ebb35aa4c1f65442e3ac1db30485c56c7b902b465120bd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd4e6b51eb296c2d3e026a418ed29d83b7f7a4285553b7577592ae7625613ede
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F419732A4530127C7019A64AE45F9B73FD5F81768F088334F960DB780E32AD61D83E2
                                                                                                                                                                                                        Function 6C7A5A20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_result_null.SQLITE3(?), ref: 6C7A5AA0
                                                                                                                                                                                                        • memcpy.MSVCR120(?,integer overflow,00000001), ref: 6C7A5B2F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpysqlite3_result_null
                                                                                                                                                                                                        • String ID: integer overflow
                                                                                                                                                                                                        • API String ID: 158029073-1678498654
                                                                                                                                                                                                        • Opcode ID: 3bec04bc263c34cce3051bf9f42be3da79cc905b91ff01b35e23ba448f6a0c7b
                                                                                                                                                                                                        • Instruction ID: e609e06cd6bda150198feb9f574cfbf379fdf28f8e3e5dd4d4f9202b511c976d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bec04bc263c34cce3051bf9f42be3da79cc905b91ff01b35e23ba448f6a0c7b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6931B9B1A04E015BDB409A58FEC4BA67FA0BF4034CF644B78F89686A11E322D81BC7D1
                                                                                                                                                                                                        Function 6C7A17A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C7C0140: memset.MSVCR120 ref: 6C7C014E
                                                                                                                                                                                                          • Part of subcall function 6C7B6A60: __allrem.LIBCMT ref: 6C7B6A93
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000064,?,%04d-%02d-%02d %02d:%02d:%02d,?,?,?,?,?,00000000,?,?), ref: 6C7A181F
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000001), ref: 6C7A186F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • string or blob too big, xrefs: 6C7A1887
                                                                                                                                                                                                        • %04d-%02d-%02d %02d:%02d:%02d, xrefs: 6C7A1817
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: __allremmemcpymemsetsqlite3_snprintf
                                                                                                                                                                                                        • String ID: %04d-%02d-%02d %02d:%02d:%02d$string or blob too big
                                                                                                                                                                                                        • API String ID: 1650763967-1189373324
                                                                                                                                                                                                        • Opcode ID: f42a51df92ca7e27db5b4c140500a961aa8b7f0bc32aed547fc77f590b07ee51
                                                                                                                                                                                                        • Instruction ID: 63de24395c6dc26b671702d80019e632242af63fe73dbcc5b212e95d291bf4fe
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f42a51df92ca7e27db5b4c140500a961aa8b7f0bc32aed547fc77f590b07ee51
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36313871608301AFE7149FA5CE84FDBB7ECAF49318F004A29F95892A41E731E51AC752
                                                                                                                                                                                                        Function 6C7A1A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C7C0140: memset.MSVCR120 ref: 6C7C014E
                                                                                                                                                                                                          • Part of subcall function 6C7B6A60: __allrem.LIBCMT ref: 6C7B6A93
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000064,?,%02d:%02d:%02d,?,?,00000000,?), ref: 6C7A1A99
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000001), ref: 6C7A1AED
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: __allremmemcpymemsetsqlite3_snprintf
                                                                                                                                                                                                        • String ID: %02d:%02d:%02d$string or blob too big
                                                                                                                                                                                                        • API String ID: 1650763967-2715048039
                                                                                                                                                                                                        • Opcode ID: daa5e063137457251621f68fb7f67b8117f5563939ac2150e8bf98a1f58225a9
                                                                                                                                                                                                        • Instruction ID: 802235df29f8e58318c1a3fbb4ac2f0b67d34da55808e2e99571aaa47d8a1ddc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: daa5e063137457251621f68fb7f67b8117f5563939ac2150e8bf98a1f58225a9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6212872604201ABE7109FA8CE84F9BB7E9BF45348F000A29F95996751E731E51AC7A2
                                                                                                                                                                                                        Function 6C801510 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free
                                                                                                                                                                                                        • String ID: abort due to ROLLBACK$table %s: xBestIndex returned an invalid plan$unknown error
                                                                                                                                                                                                        • API String ID: 2313487548-1226523029
                                                                                                                                                                                                        • Opcode ID: a36ffc42da18c5c0bbc3b7b3f8ca586dee38dd700e28623617d9c9ed705e79bf
                                                                                                                                                                                                        • Instruction ID: f53d2dec3ffa416b2f50f90541eda4e64302232ea8817562edd71fd62a47a1c7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a36ffc42da18c5c0bbc3b7b3f8ca586dee38dd700e28623617d9c9ed705e79bf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35219A717012059FDB20CE09DE80E6A73E4AF1636CF565868F8569FE22D730E845CB91
                                                                                                                                                                                                        Function 6C7A1DE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C7C0140: memset.MSVCR120 ref: 6C7C014E
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000064,?,%04d-%02d-%02d,?,?,?,?), ref: 6C7A1E43
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000001), ref: 6C7A1E93
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpymemsetsqlite3_snprintf
                                                                                                                                                                                                        • String ID: %04d-%02d-%02d$string or blob too big
                                                                                                                                                                                                        • API String ID: 3409498051-725873148
                                                                                                                                                                                                        • Opcode ID: 933bb143c2f8ae9bb3ec93be8ef74581476bda8432ff8600ce22f4942ae0d5b1
                                                                                                                                                                                                        • Instruction ID: d040a79da259f74b680eaa51c595e368ac2074dd76c0c2a618138657f92860aa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 933bb143c2f8ae9bb3ec93be8ef74581476bda8432ff8600ce22f4942ae0d5b1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B721EA71608302AFE7109F98CE45F5BB3EDAF45348F000929F95986A41E331E51AC792
                                                                                                                                                                                                        Function 6C78A670 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PL_HashTableLookup.PLDS4(00000000,?,-28000000,-28000000,00000000,?,?,-28000000,6C7874B0,?,?,-28000000), ref: 6C78A6E6
                                                                                                                                                                                                        • SECITEM_ItemsAreEqual_Util.NSSUTIL3(00000000,6C7874B0,6C7874B0,?,?,-28000000), ref: 6C78A6F6
                                                                                                                                                                                                        • PL_HashTableLookup.PLDS4(00000000,?,-28000000,?,?,6C7874B0,?,?,-28000000), ref: 6C78A70B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: HashLookupTable$Equal_ItemsUtil
                                                                                                                                                                                                        • String ID: (PU
                                                                                                                                                                                                        • API String ID: 312833382-3939433592
                                                                                                                                                                                                        • Opcode ID: 8c3c090a80ef4e51abb032fe7d228b7128eef5bb962834ba052feb23a0d22d31
                                                                                                                                                                                                        • Instruction ID: 5114a6c2fd420fee06a39397b58bd2e74dd65792c1f2e36d4b76a3d56bf37753
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c3c090a80ef4e51abb032fe7d228b7128eef5bb962834ba052feb23a0d22d31
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD115CB250212117C70096B89D8C9AF77D8DF9127CF080535F766D7B41EA1ED519D3B1
                                                                                                                                                                                                        Function 6C792220 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE8A7,?), ref: 6C792231
                                                                                                                                                                                                        • PR_FindSymbol.NSPR4(00000000,FREEBL_GetVector), ref: 6C792255
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorFindSymbol
                                                                                                                                                                                                        • String ID: FREEBL_GetVector
                                                                                                                                                                                                        • API String ID: 2161404022-221879721
                                                                                                                                                                                                        • Opcode ID: 355e2aedb38979f4eb3a0d18db423780b032fc701b4abbb2f400e7d8c0b78bc8
                                                                                                                                                                                                        • Instruction ID: 6729e3a278486198a0531e8cdbe4a328b1227c159da86fe78a23c1589b604cfb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 355e2aedb38979f4eb3a0d18db423780b032fc701b4abbb2f400e7d8c0b78bc8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8601F730F065124BAF412F2DBD0966A36799FC37357258336E82986AC5DB258183C293
                                                                                                                                                                                                        Function 6C781560 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_smprintf.NSPR4(%s/%s,?,?,?,6C7810E3,?,?), ref: 6C7815A5
                                                                                                                                                                                                        • PR_Delete.NSPR4(00000000), ref: 6C7815B5
                                                                                                                                                                                                        • PR_smprintf_free.NSPR4(00000000), ref: 6C7815BC
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DeleteR_smprintfR_smprintf_free
                                                                                                                                                                                                        • String ID: %s/%s
                                                                                                                                                                                                        • API String ID: 382383796-2758257063
                                                                                                                                                                                                        • Opcode ID: 742e793e1c68a9031e231f3a83cd1055fe1cd1683c3927136da4251d9304d117
                                                                                                                                                                                                        • Instruction ID: 1ae8bcb50a0957f131589f2dc7a73f8781d8eeebb876df592b987c3ddf6f3b14
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 742e793e1c68a9031e231f3a83cd1055fe1cd1683c3927136da4251d9304d117
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4014C7060A301EFDB108F14DA4971B7AF0AF82715F14C57CE4AA47AE4D734C886DB66
                                                                                                                                                                                                        Function 6C781930 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C781961
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,dsyl,00000000), ref: 6C78197C
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID: dsyl$global-salt
                                                                                                                                                                                                        • API String ID: 4018760208-3147048831
                                                                                                                                                                                                        • Opcode ID: a170126834c5a6424c3c201cb701810d89922119418db9c2b3d099286380cfee
                                                                                                                                                                                                        • Instruction ID: 6b5a1b3f4a7d19156b3896a7e6e531ff227e6624ad86c1109714afcae0621bb7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a170126834c5a6424c3c201cb701810d89922119418db9c2b3d099286380cfee
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8CF0E7766042119FC700DF58C845A9BBBF8EFC9650F44895EF995C7211D331E90A8BE2
                                                                                                                                                                                                        Function 6C791F30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NSSUTIL_ArgGetParamValue.NSSUTIL3(name,6C7910EC,00000000,6C7910EC,?,?), ref: 6C791F3B
                                                                                                                                                                                                        • NSSUTIL_ArgGetParamValue.NSSUTIL3(library,6C7910EC,?,?), ref: 6C791F4F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ParamValue
                                                                                                                                                                                                        • String ID: library$name
                                                                                                                                                                                                        • API String ID: 2093758156-1995335093
                                                                                                                                                                                                        • Opcode ID: a820ce235148cba4da8505289e3c0cdedf6af5562e893478fa4e755b077b7cb0
                                                                                                                                                                                                        • Instruction ID: e87f414261aea7f42179fe3b2aa7e4712b5e45bd998e5e21e8c36247752e7e6d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a820ce235148cba4da8505289e3c0cdedf6af5562e893478fa4e755b077b7cb0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06F0EC25A095121B4F044A69BA045C63FE69F8737875CC77CE81597B14EB31D5068390
                                                                                                                                                                                                        Function 6C73DD20 Relevance: 6.5, APIs: 4, Instructions: 463COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C73E291
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73E2AA
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C73E2C3
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73E2DC
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: 6e5c394920ba93f23b9bd4955e8df5481d1b9777762cb991b95aade911efc45e
                                                                                                                                                                                                        • Instruction ID: ac9cad563445f042f2f43a09171bec5e48c7e593261b4002fd44d0667103c86f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e5c394920ba93f23b9bd4955e8df5481d1b9777762cb991b95aade911efc45e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACE1A472C06739A7C720DAA08E48ECBB7DC6B44264F444B3AEE58C3641E735D91D97E2
                                                                                                                                                                                                        Function 6C7ECA49 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 352COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: OID$ROWID$_ROWID_
                                                                                                                                                                                                        • API String ID: 0-3674242750
                                                                                                                                                                                                        • Opcode ID: 4f529a8038c5abfb16bf63d599aa0b18d5dda11695dbbd6d87f6951044cd6a59
                                                                                                                                                                                                        • Instruction ID: e6fce460b07e223eaccb2b2bb8e17943cbee32811c59c52655f25bf3056275ae
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f529a8038c5abfb16bf63d599aa0b18d5dda11695dbbd6d87f6951044cd6a59
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74E1B0766087858FC320DF29C690B6ABFF4BF88305F25496DE9A58B712D331E815CB91
                                                                                                                                                                                                        Function 6C73A7C0 Relevance: 6.3, APIs: 4, Instructions: 329COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,00000000), ref: 6C73AB53
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,00000000), ref: 6C73AB7A
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,00000000), ref: 6C73ABA1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,00000000), ref: 6C73ABC8
                                                                                                                                                                                                          • Part of subcall function 6C739E90: SECITEM_ZfreeItem_Util.NSSUTIL3(?,00000000), ref: 6C739EEF
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Item_Zfreememset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 157318556-0
                                                                                                                                                                                                        • Opcode ID: a7c28f7d1f5b435c73ceccd8867393322d6a30fa2b8696f68c604d2d32d7eac1
                                                                                                                                                                                                        • Instruction ID: 49616aa8ef11e66afa5893e6617a3b41cdfc0669cfdb3a2b9ed856f2aed2d121
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7c28f7d1f5b435c73ceccd8867393322d6a30fa2b8696f68c604d2d32d7eac1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BB1D5728063255BC720DBA4CE49FCFB7DCAB84624F444A2AED59D3701EB74D90887E2
                                                                                                                                                                                                        Function 6C7BABE0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • cd0b37c52658bfdf992b1e3dc467bae1835a94ae, xrefs: 6C7BAF30
                                                                                                                                                                                                        • database corruption at line %d of [%.10s], xrefs: 6C7BAF3A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpymemset
                                                                                                                                                                                                        • String ID: cd0b37c52658bfdf992b1e3dc467bae1835a94ae$database corruption at line %d of [%.10s]
                                                                                                                                                                                                        • API String ID: 1297977491-4214876069
                                                                                                                                                                                                        • Opcode ID: 55775d4902d6289d89acaf1c50227e951a65c6340f9bf2cef124cb7997799eca
                                                                                                                                                                                                        • Instruction ID: 5ccd5f9e613eda56f5c8e2e6c26c16f86c2803e31caf5b3ec2ae9f403bd06464
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55775d4902d6289d89acaf1c50227e951a65c6340f9bf2cef124cb7997799eca
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2CB1C372A093018FD710DF29CA45A6BB7E8BF84728F04497DF895A7701E735E909CB92
                                                                                                                                                                                                        Function 6C73F1B0 Relevance: 6.3, APIs: 4, Instructions: 281COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C73F4EF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73F507
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C73F51F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73F537
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: d7a2dbb48ca5a7e2edae4457cc906d5d235d3bbac765a32352f8fd5d57a84285
                                                                                                                                                                                                        • Instruction ID: 0877dee288d76ff2c68ab983af6148f6230283a8ef20441fae95bcda8df4a9a9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7a2dbb48ca5a7e2edae4457cc906d5d235d3bbac765a32352f8fd5d57a84285
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E391B172C067255BC720DAA0CB08BCF77DCAB44664F494A29EDA8D7701E739D90C97E2
                                                                                                                                                                                                        Function 6C7CB580 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C7CB5BB
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,00000000,?,?,00000026,00000004,00000000,00000000,00000048,?,?,?,?,?), ref: 6C7CB654
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpymemset
                                                                                                                                                                                                        • String ID: %s:%d$rowid
                                                                                                                                                                                                        • API String ID: 1297977491-662108874
                                                                                                                                                                                                        • Opcode ID: eb31b7649d06e6e0479d2fbbe0e9c7b40ec2bcfe4407758973e4f80f85585d6f
                                                                                                                                                                                                        • Instruction ID: f8c4cfab704acc76019d5f89737944a6dff36833aeadbd903844c2faf6ed6bae
                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb31b7649d06e6e0479d2fbbe0e9c7b40ec2bcfe4407758973e4f80f85585d6f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE8103717083468FC300CF29CA80B67BBE5AF85318F5906ADF89497A12D735F915CBA2
                                                                                                                                                                                                        Function 6C7D76E0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 203COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • too many SQL variables, xrefs: 6C7D7946
                                                                                                                                                                                                        • variable number must be between ?1 and ?%d, xrefs: 6C7D7794
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpymemset
                                                                                                                                                                                                        • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                        • API String ID: 1297977491-515162456
                                                                                                                                                                                                        • Opcode ID: 06845345684ef9b78d50c5a2f007069ec983efc8c55dd201fdf82447956da627
                                                                                                                                                                                                        • Instruction ID: f9a04f68e0e1f3b830009f0ca779a6cb904fc61d33c3603c4639e9f2e241efb6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06845345684ef9b78d50c5a2f007069ec983efc8c55dd201fdf82447956da627
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27712631A042569FD304CF28CA80BA9F7A5BF06318F464769E8A85BA45D331F946CBD1
                                                                                                                                                                                                        Function 6C795780 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 198COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • memmove.MSVCR120(00000004,?,Z,yl,Z,yl,00000000,?,?,6C79426C,?,00000000,Z,yl,?), ref: 6C7957F9
                                                                                                                                                                                                        • memmove.MSVCR120(?,?,Z,yl), ref: 6C79589C
                                                                                                                                                                                                        • memmove.MSVCR120(00000004,?,Z,yl,Z,yl,00000000,?,?,6C79426C,?,00000000,Z,yl,?), ref: 6C795954
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memmove
                                                                                                                                                                                                        • String ID: Z,yl
                                                                                                                                                                                                        • API String ID: 2162964266-240803986
                                                                                                                                                                                                        • Opcode ID: d2f2caef7c497a11b13a6943936d327a9c8fd99f528526d0c39ab81f0fdf8c49
                                                                                                                                                                                                        • Instruction ID: 2a8596ae4591dbf132890d7ecb232d9ba82decee3531b625fc4e4d1bced0a786
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2f2caef7c497a11b13a6943936d327a9c8fd99f528526d0c39ab81f0fdf8c49
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A971AC381083218AC7289F29E15457AB7F0FF98326F508A2EF8C187750E33AD855DB62
                                                                                                                                                                                                        Function 6C7CFAC0 Relevance: 6.2, APIs: 4, Instructions: 196COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memsetsqlite3_free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1394162170-0
                                                                                                                                                                                                        • Opcode ID: c2e7fb7420802ef79def2058876aea59a7a3f44d6d4d09df708c04349f0ec3d8
                                                                                                                                                                                                        • Instruction ID: 9abf1f499bb1d07a1b32d6d39f577562de761158f7c78aaba938f37ad3a7ec61
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c2e7fb7420802ef79def2058876aea59a7a3f44d6d4d09df708c04349f0ec3d8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3951FF717083029FC3208F28CA9976B77E4AF95398F18493CE98497B41E735E909CB93
                                                                                                                                                                                                        Function 6C7CD4A0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 173COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • virtual tables may not be altered, xrefs: 6C7CD4DE
                                                                                                                                                                                                        • Cannot add a column to a view, xrefs: 6C7CD506
                                                                                                                                                                                                        • sqlite_altertab_%s, xrefs: 6C7CD599
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                        • API String ID: 0-2063813899
                                                                                                                                                                                                        • Opcode ID: d93b0bae3f8e435e767bdf730f8167e767ca08550eaa9d91b99db636683cc16b
                                                                                                                                                                                                        • Instruction ID: 74786075948f0432088c3948d022304361ce2e0623f8ef3329ff9b3bd65388f4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d93b0bae3f8e435e767bdf730f8167e767ca08550eaa9d91b99db636683cc16b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D95106B1500706AFD710DF24ED48B6BB7E8EF54319F444829EC4996B02E736F528CBA6
                                                                                                                                                                                                        Function 6C790B70 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,6C78F389,?,?,6C78F389,?,?,?,?,?,?,?), ref: 6C790BBE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3239092222-0
                                                                                                                                                                                                        • Opcode ID: c28606895a21f68bc355e9b21f4efa77f563ac77f3407e285ac978b8954d4d44
                                                                                                                                                                                                        • Instruction ID: 19fc7283e612a902691b3f7a2db19a0292bace662acbaeba81d23bf68ff36d3a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c28606895a21f68bc355e9b21f4efa77f563ac77f3407e285ac978b8954d4d44
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A64117719146569BC300DF78FA845DAB7A5FB4B328F580638DDA487B40E332E929C7D1
                                                                                                                                                                                                        Function 6C73A370 Relevance: 6.1, APIs: 4, Instructions: 146COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,6C73C006,?,?,?,?,?), ref: 6C73A49A
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,6C73C006,?,?,?,?,?), ref: 6C73A4B1
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,6C73C006,?,?,?,?,?), ref: 6C73A4C8
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,6C73C006,?,?,?,?,?), ref: 6C73A4DF
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 818ba294e19e4ecfa6a6dcf1e0ce9de00bfad07bc10f0144f7c829535f3f92e7
                                                                                                                                                                                                        • Instruction ID: cf9cf64d13dcab5b73a42461a9ad375e3d625a0439194b16523122ae1ae56efb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 818ba294e19e4ecfa6a6dcf1e0ce9de00bfad07bc10f0144f7c829535f3f92e7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F414872C0163027DB109AAC5E4AAEBB698AB40234F444735FD38C27E0E766D90D53E3
                                                                                                                                                                                                        Function 6C78C5D0 Relevance: 6.1, APIs: 4, Instructions: 145memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012,00000000,?,00000000,?,?,6C78F23B,?,?), ref: 6C78C60B
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,00000000,?,00000000,?,?,6C78F23B,?,?), ref: 6C78C67D
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,00000000), ref: 6C78C696
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,00000000), ref: 6C78C6D5
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Alloc_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3190935853-0
                                                                                                                                                                                                        • Opcode ID: b0883ee37f20e4a081965695cb754868c03240415fa57a25d538b6916380a5a8
                                                                                                                                                                                                        • Instruction ID: 66d4874b25e471dd4d820840aad0c7cd0db89f5484ab92ef9c05c76405269e9f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0883ee37f20e4a081965695cb754868c03240415fa57a25d538b6916380a5a8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F5133B16093418FD314CF29DA84922FBE0EF45316B14877EE5AAC3A92D734E618CB90
                                                                                                                                                                                                        Function 6C72D250 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE004), ref: 6C72D28E
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE003), ref: 6C72D2BA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 91b387856b8b8d5ea36e7c3b744099b46a2d720eab064970d3a04a5dbc4eec51
                                                                                                                                                                                                        • Instruction ID: 8ce16b8c138b69c5d605eea6dbed388b42f6cea56a9a49cba56d9bf8bcdd0188
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91b387856b8b8d5ea36e7c3b744099b46a2d720eab064970d3a04a5dbc4eec51
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 394171726083109FC700EB2ECD89A5FBBE4EFCD624F840A19F199C3750DA25D914CB92
                                                                                                                                                                                                        Function 6C73F030 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?), ref: 6C73F149
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?), ref: 6C73F15F
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?), ref: 6C73F175
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?), ref: 6C73F18B
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: a6c3b0e241bf6597e27d219dda9bbd027572732de32e15f2afe588010c2c09b0
                                                                                                                                                                                                        • Instruction ID: 6c1f82cc1e3f8206d020770aea07cdeb4848d76d8f38a0479e131dda20ab7c58
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6c3b0e241bf6597e27d219dda9bbd027572732de32e15f2afe588010c2c09b0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A31E272C0523117C7009A68EE49ACF7B9C9B842B8F190B75EE6CC23A1E725C51D82E3
                                                                                                                                                                                                        Function 6C72E200 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C72E2CC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C72E2EF
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C72E312
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 7bf5ff6583b74a0236cb8f5444ba93a0b79d0c4d8ce9813f32f6bd1735a700bb
                                                                                                                                                                                                        • Instruction ID: 31135800c12f7fdcf542b9721d7bf27f9e5c0a64a371c82a471a77c6feea0fe3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7bf5ff6583b74a0236cb8f5444ba93a0b79d0c4d8ce9813f32f6bd1735a700bb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6131AC726042140BD700FB38DD45B6AB3D4EF8823AFD40B69E95AC6781EB21D11C82D3
                                                                                                                                                                                                        Function 6C73D3D0 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?,?,?,?,?,?,6C73CC5D,?,?,?), ref: 6C73D4CB
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?,?,?,?,?,?,6C73CC5D,?,?,?), ref: 6C73D4E0
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?,?,?,?,?,?,6C73CC5D,?,?,?), ref: 6C73D4F5
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,?,?,?,?,?,?,?,?,?,6C73CC5D,?,?,?), ref: 6C73D50A
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C74A051
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: 1c8955e360f25297ba5064e23db77a33a7b6801badd0f63a7b022d8f5a9d99c5
                                                                                                                                                                                                        • Instruction ID: 1cec7943eadb78aca4e7d91e012e61e1362fcf7a05438bbe2a6c9699ff6d13bc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c8955e360f25297ba5064e23db77a33a7b6801badd0f63a7b022d8f5a9d99c5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0B31E072C1663117C710D6689E48BCB77DC9B90638F494B25ED7C923A1E339DA1D82E3
                                                                                                                                                                                                        Function 6C7933D0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memset$_errno_stat64i32
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1553508915-0
                                                                                                                                                                                                        • Opcode ID: dc22541f1f05ca9e3a39e0827cd7226a1482af356b8e05e13d93e0915cbac4f5
                                                                                                                                                                                                        • Instruction ID: d133db21d5087578af3c47b8feccf5503f254abccaaaee7c77f188eed01ab0c7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc22541f1f05ca9e3a39e0827cd7226a1482af356b8e05e13d93e0915cbac4f5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85417FB16007008FE760CF69EA45B67B7F4BB44308F50493DE5AAC7A50E779E5488B91
                                                                                                                                                                                                        Function 6C7A2C30 Relevance: 6.1, APIs: 4, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_load_extension.SQLITE3(?,00000000,00000000,?), ref: 6C7A2C88
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?), ref: 6C7A2CEB
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,00000001), ref: 6C7A2D37
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?), ref: 6C7A2D4A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_free$memcpysqlite3_load_extension
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3062272285-0
                                                                                                                                                                                                        • Opcode ID: 11ee033818b6891d9485f3feb3cb72b68a6ac2a105d0ec6c3e65be15a090de31
                                                                                                                                                                                                        • Instruction ID: d77ee60721bbb605854d9373bbd823716caf62e534401133e6490db2edc5878c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11ee033818b6891d9485f3feb3cb72b68a6ac2a105d0ec6c3e65be15a090de31
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F31F6716017026BD300DF56DE89796B7A4FF40348F144639E9588BB42E372D95BCBD1
                                                                                                                                                                                                        Function 6C72CE00 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Lock$DestroyError_Utilmemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2916132831-0
                                                                                                                                                                                                        • Opcode ID: 82881bbc8dc96f5ad980efb26271917595e3bd340244cdb51b940b5a57b3aaf1
                                                                                                                                                                                                        • Instruction ID: ca75e6c17476d7c2898d9cbb354fe1bb25b22741ff46914d9772334fa17cdeaf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82881bbc8dc96f5ad980efb26271917595e3bd340244cdb51b940b5a57b3aaf1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5531F8B1A003009BE710AB29CD4EB6A33F4AB55755F640A39F916877C0FF74D508CAE2
                                                                                                                                                                                                        Function 6C796120 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • free.MSVCR120 ref: 6C79619F
                                                                                                                                                                                                        • malloc.MSVCR120 ref: 6C7961A9
                                                                                                                                                                                                        • _errno.MSVCR120 ref: 6C7961E0
                                                                                                                                                                                                        • memmove.MSVCR120(?,?,?,?,?,?,?,?,?), ref: 6C79620B
                                                                                                                                                                                                          • Part of subcall function 6C793BD0: free.MSVCR120 ref: 6C793CBE
                                                                                                                                                                                                          • Part of subcall function 6C793BD0: free.MSVCR120 ref: 6C793CC1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: free$_errnomallocmemmove
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3151229899-0
                                                                                                                                                                                                        • Opcode ID: d1f5d6fbd51f0df66d4f626769210ae03bfb3e549e4462749337c5b67612a2f7
                                                                                                                                                                                                        • Instruction ID: b803c3e050a0b080eab43df22bd6e101eefe187fb5475d0465f4662ab716e0ca
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1f5d6fbd51f0df66d4f626769210ae03bfb3e549e4462749337c5b67612a2f7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5131E572200611ABDB008F69ED4497BB7F8FF89765F040A39F954C2642D335E960C7A6
                                                                                                                                                                                                        Function 6C790A90 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C7905F0: PORT_NewArena_Util.NSSUTIL3(00000800,6C78F389,?,?,6C78F389,?,?,?,?,?), ref: 6C7905FB
                                                                                                                                                                                                          • Part of subcall function 6C7905F0: PORT_SetError_Util.NSSUTIL3(FFFFE013,?,6C78F389,?,?,?,?,?), ref: 6C79060E
                                                                                                                                                                                                        • SECITEM_ItemsAreEqual_Util.NSSUTIL3(?,00000014,?,?), ref: 6C790AB5
                                                                                                                                                                                                        • PR_EnterMonitor.NSPR4(?,?,?,?,?,?,?,?), ref: 6C790AFE
                                                                                                                                                                                                        • PR_ExitMonitor.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C790B21
                                                                                                                                                                                                          • Part of subcall function 6C78F6A0: PORT_NewArena_Util.NSSUTIL3(00000800,00000000,?,?,?,?,6C790B41,?,00000000), ref: 6C78F6AA
                                                                                                                                                                                                          • Part of subcall function 6C78F6A0: PORT_FreeArena_Util.NSSUTIL3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C78F701
                                                                                                                                                                                                        • PR_ExitMonitor.NSPR4(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C790B49
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Arena_Monitor$Exit$EnterEqual_Error_FreeItems
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2740641406-0
                                                                                                                                                                                                        • Opcode ID: ba506cdd46177aee829f355abe8a79ade0648ee886b4445c51b2a18b702be1b3
                                                                                                                                                                                                        • Instruction ID: 772e14635aef0dae4a79f228dfc537083fd02f8773bd29b5ee9d3d9abc419fbc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba506cdd46177aee829f355abe8a79ade0648ee886b4445c51b2a18b702be1b3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 192138B271110027D6001E997E4DEDB76ACDFC626EF040136FA0591B02E712E92D43F6
                                                                                                                                                                                                        Function 6C78D760 Relevance: 6.1, APIs: 4, Instructions: 88memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(?,?,00000000,?,?,?,?,6C78F418,?,00000000,?,00000000), ref: 6C78D7A5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,00000000,?,?,?,?,?,?,6C78C0D6,?,00000000), ref: 6C78D7BC
                                                                                                                                                                                                        • memcpy.MSVCR120(0000000D,?,?,?,00000000,?,?,?,?,?,?,6C78C0D6,?,00000000), ref: 6C78D825
                                                                                                                                                                                                        • memcpy.MSVCR120(?,?,?,0000000D,?,?,?,00000000,?,?,?,?,?,?,6C78C0D6,?), ref: 6C78D838
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Utilmemcpy$Alloc_ArenaError_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3681875837-0
                                                                                                                                                                                                        • Opcode ID: 086b90013f5f2f8d0df5d13762e43714c73e16bf90fa88576b1202f2c59240c9
                                                                                                                                                                                                        • Instruction ID: e9381b62767ea039f291adf033bd1c7651d1aafa112297a68e93d1886e832117
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 086b90013f5f2f8d0df5d13762e43714c73e16bf90fa88576b1202f2c59240c9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF31887150928AAFC701CF69D844899BFF4FF65214B08875AF8888BB02D735E759C7B1
                                                                                                                                                                                                        Function 6C790720 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4018760208-0
                                                                                                                                                                                                        • Opcode ID: 92a41a38a03f828221b05e3638f731ccb45099ed32c11425de4f07180c0b4c82
                                                                                                                                                                                                        • Instruction ID: b5b2ace14ef0ad184a5ba3aae3cc284380d53411ca828c86c9ee57cfd7f0fd29
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92a41a38a03f828221b05e3638f731ccb45099ed32c11425de4f07180c0b4c82
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8219136508304AFC701DF59C984A9BBBF8FF8D765F500A29F999D3200D736E9098B92
                                                                                                                                                                                                        Function 6C787000 Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(00000000,00000000,00000000,00000000,?,6C787A9C,?,?,00000000,?,?,?,?,?,?,?), ref: 6C78701A
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000012,00000000,00000000,00000000,?,6C787A9C,?,?,00000000,?,?,?,?,?,?,?), ref: 6C78706B
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7870B8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Free_Strdup_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3002811931-0
                                                                                                                                                                                                        • Opcode ID: a50e4fe0e0a8acc901f4bc76f8a28a0a6f7711b0da83aec3785b343fd4cad799
                                                                                                                                                                                                        • Instruction ID: 17e11beceff63494ee1d970fbc6d097cbe6f871d89707e7f21c1d51aa9ac8575
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a50e4fe0e0a8acc901f4bc76f8a28a0a6f7711b0da83aec3785b343fd4cad799
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9721F8B2B0270657D7204F56EF48797B7E9DF80359F10853EE96A83F10E732E11886A1
                                                                                                                                                                                                        Function 6C73C480 Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_AllocItem_Util.NSSUTIL3(6C73C3DB,6C73C3DB,?,?,?,?,6C73C3DB,00000000,?,?), ref: 6C73C4C2
                                                                                                                                                                                                          • Part of subcall function 6C73CBE0: PORT_SetError_Util.NSSUTIL3(FFFFE005,0000000A,6C73C3DB,6C73C3E3,6C73C3E3,?,?), ref: 6C73CC01
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F,?,?,?,?,?), ref: 6C73C51E
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(6C73C3DB,00000000), ref: 6C73C530
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005,?,?,6C73C3DB,00000000,?,?), ref: 6C73C54C
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Error_$Item_$AllocFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2351708056-0
                                                                                                                                                                                                        • Opcode ID: ab66869901437baaacda501e3a4f5811edfa237f10f034eb9e9b6264b2b47a58
                                                                                                                                                                                                        • Instruction ID: 023783fa05b9bed2d48e66b79edf98fb8a382678b19d5d5e2984e13ae6ca2fe8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab66869901437baaacda501e3a4f5811edfa237f10f034eb9e9b6264b2b47a58
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B32146736052301AEB117968EE00BAA7B58DF8136EF341739E92DC9A93E721D4548262
                                                                                                                                                                                                        Function 6C73C560 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(00000000), ref: 6C73C5A0
                                                                                                                                                                                                          • Part of subcall function 6C73CBE0: PORT_SetError_Util.NSSUTIL3(FFFFE005,0000000A,6C73C3DB,6C73C3E3,6C73C3E3,?,?), ref: 6C73CC01
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE03F), ref: 6C73C5E1
                                                                                                                                                                                                        • PORT_GetError_Util.NSSUTIL3 ref: 6C73C5EC
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73C625
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1971245937-0
                                                                                                                                                                                                        • Opcode ID: 8bb0fd4d863248e83ad42a1c4d06272818a29d0a7c583ddad50593cc579fe76a
                                                                                                                                                                                                        • Instruction ID: 711f8182303903d3314127c5c53ea534d78817f3ac798556aec26c5ba6006422
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8bb0fd4d863248e83ad42a1c4d06272818a29d0a7c583ddad50593cc579fe76a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9121EA72A083305BD300FE158D44B9BBBD4AF44315F501B29F95DD2692E731D5094693
                                                                                                                                                                                                        Function 6C7404C0 Relevance: 6.1, APIs: 4, Instructions: 75memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C7404E0
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C740531
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,?), ref: 6C74055F
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,00000000,?), ref: 6C740565
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Alloc_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3600600774-0
                                                                                                                                                                                                        • Opcode ID: 6831fe7b0bcc31752a0811926f7d0eec11d20426549073e7f1d5fbcc03acca75
                                                                                                                                                                                                        • Instruction ID: 0d95f50485bc0c2f409536f7dcc90544c0c2888f97e97b25fc21a0929c2ba20d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6831fe7b0bcc31752a0811926f7d0eec11d20426549073e7f1d5fbcc03acca75
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A116AB1A053911FD7018E34DE58E8FFB95DF94228F1842BDE4858BF01E731D445C692
                                                                                                                                                                                                        Function 6C73F560 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001,?,?,?,?,?,?), ref: 6C73F5DB
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,?,?), ref: 6C73F5F0
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002,?,?,?,?,?,?), ref: 6C73F605
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: 3aeb69d4325f237025a3e562d7d24c501235a3527c954706e1623788e1c65d10
                                                                                                                                                                                                        • Instruction ID: 8091a923c4190f94d8d75eb765a14983db15747698ee5b7081589fdd566efbf3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3aeb69d4325f237025a3e562d7d24c501235a3527c954706e1623788e1c65d10
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C11E472C0553157DB01AA6C9E096DB3A889B40238F954BA0ED7C823F2F735C62D46D3
                                                                                                                                                                                                        Function 6C7405D0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C7405F0
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C74063C
                                                                                                                                                                                                        • memcpy.MSVCR120(?,00000000,?), ref: 6C74066A
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,00000000,?), ref: 6C740670
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Alloc_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3600600774-0
                                                                                                                                                                                                        • Opcode ID: 693804176c34febf94b3a43f4ce59c9ed480c2a05d8cfc022b39b961098df61f
                                                                                                                                                                                                        • Instruction ID: dec2e4ee63e4d247e5a48bcbb8a3d718a653cfd13331fc8880379aa4c6ef9095
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 693804176c34febf94b3a43f4ce59c9ed480c2a05d8cfc022b39b961098df61f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F1166B1A062911BD3018E34CF4978B7B99DFD4318F14457DE98A8BA41D730D459C6D3
                                                                                                                                                                                                        Function 6C78D8C0 Relevance: 6.1, APIs: 4, Instructions: 68memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(?,10C483F8,00000000,?,00000000,-00000004,6C78F4B8,?,00000000,?,?,?,?,6C78F9E2,?,00000000), ref: 6C78D8F4
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013,?,?,?,?,6C78F9E2,?,00000000,?,?,6C78F1EE,?,?,?,?,00000000), ref: 6C78D90B
                                                                                                                                                                                                        • memcpy.MSVCR120(00000007,FFE49FE8,10C483FF,?,?,?,?,6C78F9E2,?,00000000,?,?,6C78F1EE,?,?,?), ref: 6C78D93E
                                                                                                                                                                                                        • memcpy.MSVCR120(10C483F8,74FFF883,00000000,?,?,?,?,?,?,?,?,6C78F9E2,?,00000000,?,?), ref: 6C78D957
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Utilmemcpy$Alloc_ArenaError_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3681875837-0
                                                                                                                                                                                                        • Opcode ID: c7ea801dc4674658d513328a7a65b857d84ce49bd4ab615e5be546ce25feb4ea
                                                                                                                                                                                                        • Instruction ID: efc1a5a4fd8a907c046597d6287a1aedc753864f449d7b9742ec7624a634f468
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7ea801dc4674658d513328a7a65b857d84ce49bd4ab615e5be546ce25feb4ea
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F11D6B250524AAFDB00CFA9DD44996BBB5EF61118708837AE854C7B01D332E66E87A1
                                                                                                                                                                                                        Function 6C78F520 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,00000000,?,?,?,?,00000000,00000009,00000000,00000003,?,?,?,?,6C790DFF,?), ref: 6C78F571
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,6C790DFF,?,00000000,00000000), ref: 6C78F591
                                                                                                                                                                                                        • PR_Lock.NSPR4 ref: 6C78F5A6
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 6C78F5BC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4018760208-0
                                                                                                                                                                                                        • Opcode ID: c58a1a1017c7fddcba2c258edc08ea21820360789d67b6ca91186ca7eb8f2085
                                                                                                                                                                                                        • Instruction ID: 4f6203220965c4de8a862f5f057e68c070aa4484afe19af372f034923b530da8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c58a1a1017c7fddcba2c258edc08ea21820360789d67b6ca91186ca7eb8f2085
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D21A4355093519FD702DF2CC844996BFF0BF9A210F0845A9F9A887352C335DA4ACF92
                                                                                                                                                                                                        Function 6C73D580 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000), ref: 6C73D62E
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,00000000), ref: 6C73D634
                                                                                                                                                                                                          • Part of subcall function 6C748ED0: memset.MSVCR120 ref: 6C748EEA
                                                                                                                                                                                                          • Part of subcall function 6C748ED0: free.MSVCR120 ref: 6C748EFA
                                                                                                                                                                                                        • PR_DestroyCondVar.NSPR4(?), ref: 6C73D656
                                                                                                                                                                                                        • PR_DestroyLock.NSPR4(?), ref: 6C73D673
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DestroyUtil$CondFreeFree_Item_Lockfreememset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2004127352-0
                                                                                                                                                                                                        • Opcode ID: 74dad40f13ed41ad25cea7a151eada678a8dac1bbf4d849a5205dbc537c0e8b4
                                                                                                                                                                                                        • Instruction ID: af670a80221a879adaea4552fbc5a388f8749b177deb6e1e69de0fe8978b6c21
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74dad40f13ed41ad25cea7a151eada678a8dac1bbf4d849a5205dbc537c0e8b4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D321ACB1A01228CFDB21CF28D648B8673F8AB16308F144439D43987A42D776B468CBE4
                                                                                                                                                                                                        Function 6C788600 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000010), ref: 6C78860F
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000028), ref: 6C78862A
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C788674
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C78867D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3970827069-0
                                                                                                                                                                                                        • Opcode ID: 95d7639f783aafe6b7d943f8ce731b63a39550f8054db7b0c85bee7d7154677d
                                                                                                                                                                                                        • Instruction ID: ad5fc20af7c575f4766ed75758677abb941a8ae108a4106d7fc03321d3d16439
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95d7639f783aafe6b7d943f8ce731b63a39550f8054db7b0c85bee7d7154677d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A901C4F2B022115BD7104F99ED08B8BB7E4DF80365F140435EA58D7711D375D10987E2
                                                                                                                                                                                                        Function 6C740950 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(?), ref: 6C740976
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,?), ref: 6C740989
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,?), ref: 6C7409A6
                                                                                                                                                                                                        • PORT_ZFree_Util.NSSUTIL3(00000000,?), ref: 6C7409B8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Alloc_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3600600774-0
                                                                                                                                                                                                        • Opcode ID: 151cf95937e47b2557c46f1517a2c6063146f36b8e1c59e3e30c5491043e2f82
                                                                                                                                                                                                        • Instruction ID: 6ec1753a0c9ea0a88938eefea528c95146c5d1d92f5a1258782d60aa592b9dac
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 151cf95937e47b2557c46f1517a2c6063146f36b8e1c59e3e30c5491043e2f82
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D0140312013686FD7011A349E489AF7F9DDFC5679B00422DFC9896701DB31DD54CAB2
                                                                                                                                                                                                        Function 6C792870 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: _errnocalloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2887653223-0
                                                                                                                                                                                                        • Opcode ID: a37203459a95ebfdc744584ed9ac19a7dd1b4a98a63fbdaf62df984419f3e087
                                                                                                                                                                                                        • Instruction ID: 0f534c4d3eac9aeae4a984594d998c0dc5ffd339eecb8c325bb43ef7f01f6abb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a37203459a95ebfdc744584ed9ac19a7dd1b4a98a63fbdaf62df984419f3e087
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A0196757006018FD7109F6ED984A86B7F5EFCA331F44467AEA65C7780D774A4068B60
                                                                                                                                                                                                        Function 6C78D0F0 Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(00000001,00000000,00000000,?,6C78C178,?,?), ref: 6C78D115
                                                                                                                                                                                                        • memcpy.MSVCR120(00000001,?,00000000,00000000,00000000,?,6C78C178,?,?), ref: 6C78D135
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,00000000,00000000,?,6C78C178,?,?), ref: 6C78D156
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,00000000,00000000,?,6C78C178,?,?), ref: 6C78D168
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free_$Alloc_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3600600774-0
                                                                                                                                                                                                        • Opcode ID: 0ba09066cee4020fb9a2d5707898634148c15f69a8e5220f14449dbec9a7fb48
                                                                                                                                                                                                        • Instruction ID: 1678e725bc3563634faccb51f5d563ef2e56821f05f1a924e6fa27fa88c770c3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ba09066cee4020fb9a2d5707898634148c15f69a8e5220f14449dbec9a7fb48
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C012672C052025AC600DF68F94498FB7A8AF94B74F04063AFE54D2751E32AC64D83E3
                                                                                                                                                                                                        Function 6C741A10 Relevance: 6.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Read.NSPR4(?,?,00000004,?,6C74173A,00000000,?), ref: 6C741A1C
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?,00000000,?,?,?), ref: 6C741A5A
                                                                                                                                                                                                        • PR_Read.NSPR4(?,00000000,?,00000000,?,?,?), ref: 6C741A71
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C741A82
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ReadUtil$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1296218028-0
                                                                                                                                                                                                        • Opcode ID: 9dad4712704c186a2e629bcb075dd4d6a079ae3303c46e7df40203da41817764
                                                                                                                                                                                                        • Instruction ID: 65862c952aa560ea7cec15d32a4e1dc528d03598aabbcf01493a39c44be6fa4e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9dad4712704c186a2e629bcb075dd4d6a079ae3303c46e7df40203da41817764
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1901C4B15047115BEA189B28CD5963BBBE0EB41311F204D3EF1BBC69E0DB75E4289751
                                                                                                                                                                                                        Function 6C7B8D60 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_errmsg.SQLITE3(?,?,?,?,6C7B8D08,?,?,00000000), ref: 6C7B8D8F
                                                                                                                                                                                                        • sqlite3_errcode.SQLITE3(?,?,?,00000000,?,?,?,?,6C7B8D08,?,?,00000000), ref: 6C7B8DA0
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_errcodesqlite3_errmsg
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1373711215-0
                                                                                                                                                                                                        • Opcode ID: 554bf13eaf94d2f561f7ea342bae6788a01d3f62c6275007fc6b750a7544a8c9
                                                                                                                                                                                                        • Instruction ID: c0ae52ee13c59f485df0b0afe2f7763aa6cd40fe4335e267367a6585621b4ea9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 554bf13eaf94d2f561f7ea342bae6788a01d3f62c6275007fc6b750a7544a8c9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8F049312082127AD6005B19AE0DFDF3A589FD023CF104529F820A17A1D721E81B82F6
                                                                                                                                                                                                        Function 6C78FB30 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_EnterMonitor.NSPR4(?,00000000,?,6C786C0A,00000000,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 6C78FB39
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?,?,00000000,?,?,?,?,?,?,6C786AB4,?,?,?,00000000), ref: 6C78FB45
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,6C786AB4), ref: 6C78FBA7
                                                                                                                                                                                                        • PR_ExitMonitor.NSPR4(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?), ref: 6C78FBB0
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Monitor$EnterExitLockUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3508852795-0
                                                                                                                                                                                                        • Opcode ID: 5a57264b3d73b1ebee799cc842168ff85754959304ebc556650d53dd1f09e57e
                                                                                                                                                                                                        • Instruction ID: 52f11184131ff18400a352985e47c0371d5f784ccc8f2a8b23c55656745ee585
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a57264b3d73b1ebee799cc842168ff85754959304ebc556650d53dd1f09e57e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E110075A022119FCB00CF29D944906FBB0FF8A759B248279E959DB311D332E852CB91
                                                                                                                                                                                                        Function 6C73A250 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C749F60: memset.MSVCR120 ref: 6C749F93
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE001), ref: 6C73A291
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE013), ref: 6C73A2A3
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE002), ref: 6C73A2B5
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE005), ref: 6C73A2C7
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error_Util$memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1468616262-0
                                                                                                                                                                                                        • Opcode ID: 89acecdc4265832227eecc1fb57d43a48d2538711712567c8187d227b9674a10
                                                                                                                                                                                                        • Instruction ID: 9e38a2450c680ea0c442ed97a4b4c33dff822943c548d7a995740296252f3a18
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 89acecdc4265832227eecc1fb57d43a48d2538711712567c8187d227b9674a10
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7F0F96280863011DE0121BDBE0E6C93A404F95339B258735F63DC0BF5EB12D4AD52C3
                                                                                                                                                                                                        Function 6C728970 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(0000010C), ref: 6C728977
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C7289AA
                                                                                                                                                                                                        • memcpy.MSVCR120(0000000C,?,?), ref: 6C7289C5
                                                                                                                                                                                                        • memcpy.MSVCR120(0000008C,?,?,0000000C,?,?), ref: 6C7289DE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Utilmemcpy$Alloc_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1229631015-0
                                                                                                                                                                                                        • Opcode ID: 03e9ea67f3131b918de0148989ab01a3f6c376f1f48c88d58a0157676f2a6c55
                                                                                                                                                                                                        • Instruction ID: 57dc051d3333d669e1256b5a2a1297d7f7f6f336ec0aa2f5d744c80aab0ec6a7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03e9ea67f3131b918de0148989ab01a3f6c376f1f48c88d58a0157676f2a6c55
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E0171B2500612ABC711DB94D944EC6B7E8FF44324B048126E5A9C7B10E735F965CBD1
                                                                                                                                                                                                        Function 6C78BC70 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECOID_FindOIDTag_Util.NSSUTIL3(00000007,00000000,00000070,00000008), ref: 6C78BC9B
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(?,?,00000000,?,00000000,00000070,00000008), ref: 6C78BCBE
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,?,?,00000000,?,00000000,00000070,00000008), ref: 6C78BCD7
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE08D,00000000,00000070,00000008), ref: 6C78BCEA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_ArenaError_FindTag_memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2075218507-0
                                                                                                                                                                                                        • Opcode ID: 6690133afead79e85767c2092edbf166056ca43a5dbeeb7a181a0d5a0c3bc325
                                                                                                                                                                                                        • Instruction ID: 2ae49288915809ffbf92d13b8cef38cbc91593dc4946bdd0540e813f6ab939c2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6690133afead79e85767c2092edbf166056ca43a5dbeeb7a181a0d5a0c3bc325
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F0192B18043019BD700DFB4EA0465B7BE4AF44214F048A3DE899C7350EB36E61DCB92
                                                                                                                                                                                                        Function 6C7899E0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C78A170: PL_HashTableEnumerateEntries.PLDS4(00000000,6C78A440,00000000,?,?,?,6C7899EE,?,?,?,6C7898BC,?), ref: 6C78A189
                                                                                                                                                                                                        • PR_DestroyLock.NSPR4(?), ref: 6C789A1B
                                                                                                                                                                                                        • PL_HashTableDestroy.PLDS4(?), ref: 6C789A2C
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C789A35
                                                                                                                                                                                                          • Part of subcall function 6C78FBC0: PR_Lock.NSPR4(?,?,6C789A01,00000000), ref: 6C78FBD6
                                                                                                                                                                                                          • Part of subcall function 6C78FBC0: PR_Unlock.NSPR4 ref: 6C78FBE8
                                                                                                                                                                                                          • Part of subcall function 6C78FBC0: PR_DestroyMonitor.NSPR4(74C08504,?,6C789A01,00000000), ref: 6C78FC00
                                                                                                                                                                                                          • Part of subcall function 6C78FBC0: PORT_Free_Util.NSSUTIL3(6C789A01,?,6C789A01,00000000), ref: 6C78FC11
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?), ref: 6C789A3E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DestroyFree_Util$HashLockTable$EntriesEnumerateMonitorUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 697751125-0
                                                                                                                                                                                                        • Opcode ID: 8c42721b741e0f93dc01fc7a93c5922bfbdb7b46c9ae0883234c061bf109f209
                                                                                                                                                                                                        • Instruction ID: da00ca47cfb188436fdebecadc026f56d399957b0d578886832adcbcc686d8e7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c42721b741e0f93dc01fc7a93c5922bfbdb7b46c9ae0883234c061bf109f209
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65F09CE1E0320057E610AB75FE4C99B73EC6F6195CB140434EA26D3B10EB28E614C5E3
                                                                                                                                                                                                        Function 6C781000 Relevance: 6.0, APIs: 4, Instructions: 40memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_Alloc_Util.NSSUTIL3(?), ref: 6C781007
                                                                                                                                                                                                        • PR_Read.NSPR4(?,00000000,?), ref: 6C78101F
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000), ref: 6C78102F
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE012,00000000), ref: 6C781042
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_ErrorFree_Read
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4230991578-0
                                                                                                                                                                                                        • Opcode ID: 16f5c16ae18dd122706f218971e16c6fbdca22b8f0d71f753ebce31cffa18358
                                                                                                                                                                                                        • Instruction ID: b16a321b51920802dda9f294ef975595e7cf9adb0b0d60fac6fb5dbb5b60a3e3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16f5c16ae18dd122706f218971e16c6fbdca22b8f0d71f753ebce31cffa18358
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4F0EC3270622017DB20169D7D88ADF676CDFC1579F190136FE14D2310D255C98B62E3
                                                                                                                                                                                                        Function 6C7819A0 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(0000000C,00000000,6C782F32,?,?,?,?,?,?,?,?,?), ref: 6C7819A3
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C7819BB
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C7819CD
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Alloc_$Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2292727986-0
                                                                                                                                                                                                        • Opcode ID: 7fa4b382d62266d73715e2cc0800df2b445bd83bdb6f525d67c3085ea19b61a6
                                                                                                                                                                                                        • Instruction ID: a0f147ab00ac4227850268511dd528dc2cf99b14bf9cac7d1e8467ccf248b4e8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fa4b382d62266d73715e2cc0800df2b445bd83bdb6f525d67c3085ea19b61a6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1F0ECB2A055116BDA5097E9BE085CFB7949FC0134B04433AF92DC7F14E325DB6587D1
                                                                                                                                                                                                        Function 6C790400 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_NewLock.NSPR4(6C789BC7,00000000,?,?,?,6C789CB0,?,00000000,?), ref: 6C790409
                                                                                                                                                                                                        • PR_NewMonitor.NSPR4(00000000,6C789BC7,00000000,?,?,?,6C789CB0,?,00000000,?), ref: 6C790419
                                                                                                                                                                                                        • PR_DestroyMonitor.NSPR4(?), ref: 6C790452
                                                                                                                                                                                                        • PORT_SetError_Util.NSSUTIL3(FFFFE012), ref: 6C790467
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Monitor$DestroyError_LockUtil
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2079995614-0
                                                                                                                                                                                                        • Opcode ID: 3007f945acede28ca16e11a427bb7ee206eaf30afb27c4cb30b53e77c44db9ab
                                                                                                                                                                                                        • Instruction ID: 8b7bbb01619e783b20d992eb4fdb8e98c828fdeaa859d35552d798cc1363f342
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3007f945acede28ca16e11a427bb7ee206eaf30afb27c4cb30b53e77c44db9ab
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FEF062B1519742AFEF009F64EE0875A7BF4AF8A314F10893CF87982660D735D41ADB92
                                                                                                                                                                                                        Function 6C78ED00 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_NewMonitor.NSPR4(?,?,?,?,?,6C790E7C,?,00000000), ref: 6C78ED0C
                                                                                                                                                                                                        • PR_EnterMonitor.NSPR4 ref: 6C78ED27
                                                                                                                                                                                                          • Part of subcall function 6C790720: PR_Lock.NSPR4(00000000,?,?), ref: 6C790734
                                                                                                                                                                                                          • Part of subcall function 6C790720: PR_Unlock.NSPR4 ref: 6C790754
                                                                                                                                                                                                        • PR_ExitMonitor.NSPR4(?,00000000,00000001,6C78F870,6C790F60), ref: 6C78ED5F
                                                                                                                                                                                                        • PR_DestroyMonitor.NSPR4(?), ref: 6C78ED69
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Monitor$DestroyEnterExitLockUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2140428822-0
                                                                                                                                                                                                        • Opcode ID: 5c72e26ed9afe50f96d40163700af85e37b40ad838bd13ffc4018782b64813a7
                                                                                                                                                                                                        • Instruction ID: 49e924eb8c0ee51ecb1582022ffeaa1e99784914804203a452a3f2ea9158abe3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c72e26ed9afe50f96d40163700af85e37b40ad838bd13ffc4018782b64813a7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE01E4755083019FCB00EF64C948A8FBBF8FF88354F004929F49892220D37496498FA2
                                                                                                                                                                                                        Function 6C78FBC0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,6C789A01,00000000), ref: 6C78FBD6
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 6C78FBE8
                                                                                                                                                                                                        • PR_DestroyMonitor.NSPR4(74C08504,?,6C789A01,00000000), ref: 6C78FC00
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(6C789A01,?,6C789A01,00000000), ref: 6C78FC11
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DestroyFree_LockMonitorUnlockUtil
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4171523166-0
                                                                                                                                                                                                        • Opcode ID: 96dd361f3b0e4e1fc96057e204bfcb319a79d047b8937df96dacb6d91e486bd4
                                                                                                                                                                                                        • Instruction ID: aad2e0d43b58ead39b6462f84d9a2da3974e52ad997cd7687c4d9153e8c00da6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 96dd361f3b0e4e1fc96057e204bfcb319a79d047b8937df96dacb6d91e486bd4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27F0EC715029019FDB114F18EE08B5B77B4EF81B44F240438ED6593710D736E566CBD5
                                                                                                                                                                                                        Function 6C739170 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_FreeArena_Util.NSSUTIL3(?,00000000), ref: 6C739182
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000), ref: 6C739190
                                                                                                                                                                                                        • SECITEM_FreeItem_Util.NSSUTIL3(?,00000000,?,00000000), ref: 6C73919B
                                                                                                                                                                                                        • PORT_Free_Util.NSSUTIL3(?,?,00000000,?,00000000), ref: 6C7391A1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Util$Free$Item_$Arena_Free_
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2810683504-0
                                                                                                                                                                                                        • Opcode ID: 04ea50ca33b1be66389c002e6e3f06630d2f0c396a55169c091ceaee8cc4a3d4
                                                                                                                                                                                                        • Instruction ID: 90fd61e4c1bd9bca03e177014068354313bc90377f878afcb1ec6b93d76380f9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04ea50ca33b1be66389c002e6e3f06630d2f0c396a55169c091ceaee8cc4a3d4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27E08672D0273066D950B6A4BE4EFCB67DC0F49505F450455B945EBA40EF20F99886A1
                                                                                                                                                                                                        Function 6C787560 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 0
                                                                                                                                                                                                        • API String ID: 0-4108050209
                                                                                                                                                                                                        • Opcode ID: 20db1bc5307d73f3a36d303094718908e09f1a03e0f48b7b37d53efd1bee438c
                                                                                                                                                                                                        • Instruction ID: fc356c40ae21797dd8c2a98e6cd4828b571746d56ba7c067afe84a8c1598e0e9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 20db1bc5307d73f3a36d303094718908e09f1a03e0f48b7b37d53efd1bee438c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 123107B2A053056BD3009A6CDD48AABB7ECEF8426CF440639FA5592651F735D90887E3
                                                                                                                                                                                                        Function 6C7CDC80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_exec.SQLITE3(?,00000000,6C7ADC10,?,00000000,?,?,?,?,?,00000000,?,?), ref: 6C7CDD51
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 6C7CDD1C
                                                                                                                                                                                                        • sqlite_stat1, xrefs: 6C7CDCF8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: sqlite3_exec
                                                                                                                                                                                                        • String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
                                                                                                                                                                                                        • API String ID: 2141490097-3572622772
                                                                                                                                                                                                        • Opcode ID: 596d66d6d103b85efb2ca3803331063d042517daa8c80835c0307a1dc19e5bd2
                                                                                                                                                                                                        • Instruction ID: 939292747a82823a66ef0b3ce315a19ef234dc5f0b37ec35833f05af736f1050
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 596d66d6d103b85efb2ca3803331063d042517daa8c80835c0307a1dc19e5bd2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E310571B403025FC3209F19D984B52FBE8FB95364F4509AAEC488B702D376E885C7E6
                                                                                                                                                                                                        Function 6C781270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ZAlloc_Util.NSSUTIL3(6C781823,?,00000000,00000000,6C78181D,?,?,CE534351), ref: 6C7812E2
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,6C78181D,6C78181E,?,CE534351), ref: 6C7812F7
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Alloc_Utilmemcpy
                                                                                                                                                                                                        • String ID: .dir
                                                                                                                                                                                                        • API String ID: 1090783976-608412691
                                                                                                                                                                                                        • Opcode ID: 5dde76cb491e24a7931dc354bb72b0619bba64aa818da5bb3230dee66a3f0f65
                                                                                                                                                                                                        • Instruction ID: 2b6a1e85738caca195a6ed9b541433f9a174100d6c0eb0e6088d7f0a0eb6242d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5dde76cb491e24a7931dc354bb72b0619bba64aa818da5bb3230dee66a3f0f65
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4117F2670A1891BC7114E7AD6546D17FBADB8336CB0CC171DAECCBE0AE212D4498350
                                                                                                                                                                                                        Function 6C7A49E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C7A4A09
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                        • String ID: winTruncate1$winTruncate2
                                                                                                                                                                                                        • API String ID: 885266447-470713972
                                                                                                                                                                                                        • Opcode ID: 82b6f526fece99ebc0a7b3ce12e8c6cd6e6a82ce96c7e6e9aa8d210b7a1dbebc
                                                                                                                                                                                                        • Instruction ID: 3379ef1e13564471adf37676d82d25f92d50c962c446b2b16370054c9f4199c6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82b6f526fece99ebc0a7b3ce12e8c6cd6e6a82ce96c7e6e9aa8d210b7a1dbebc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF1104B27042007FDB10DEA9DE81E6B77ADEF85744F044878BD08D6742EB36D8119672
                                                                                                                                                                                                        Function 6C7F94D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C7F8AE0: memcpy.MSVCR120(?,?,?,3B9ACA00,00000002), ref: 6C7F8B94
                                                                                                                                                                                                        • sqlite3_snprintf.SQLITE3(00000020,?,%!.15g), ref: 6C7F9518
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpysqlite3_snprintf
                                                                                                                                                                                                        • String ID: %!.15g$%lld
                                                                                                                                                                                                        • API String ID: 3220818946-2983862324
                                                                                                                                                                                                        • Opcode ID: 33e22b51d71b3bddd9e99f1e2691a151178f603393f37c39567bc2f88970c5ca
                                                                                                                                                                                                        • Instruction ID: c2bc2909cacd9eef5b9936db516b12e0e3a8fc5446cbb5242b903db7f987e1a9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33e22b51d71b3bddd9e99f1e2691a151178f603393f37c39567bc2f88970c5ca
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A41155719027009AE7329E299E89B223BE4AF15318F10092DF4F187FD1E325E54AC751
                                                                                                                                                                                                        Function 6C7EF6ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sqlite3_free.SQLITE3(?,?,?), ref: 6C7EFA63
                                                                                                                                                                                                          • Part of subcall function 6C7CDF10: memcpy.MSVCR120(?, ,0000001D,?,?,?,?,?,?,?), ref: 6C7CDF7F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memcpysqlite3_free
                                                                                                                                                                                                        • String ID: %$NaN
                                                                                                                                                                                                        • API String ID: 2990970058-2010511803
                                                                                                                                                                                                        • Opcode ID: 562800f7118356a2335faaddf48b13a2d4dec2c245e2dd23e5e9c3ca45c79853
                                                                                                                                                                                                        • Instruction ID: ef106ccadc52dc3c8bd10da4845ca8968fcff29f542491fb58b21ed057ec00ad
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 562800f7118356a2335faaddf48b13a2d4dec2c245e2dd23e5e9c3ca45c79853
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7311C171B083978BD7028A14EE8860A7EE1BB8A74CF040868F8C012A69D721D939C6D2
                                                                                                                                                                                                        Function 6C783250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID: Version
                                                                                                                                                                                                        • API String ID: 4018760208-1889659487
                                                                                                                                                                                                        • Opcode ID: 586befbb37b3ac3df664cf638516b70b2a096b2293acb9955518a708a2ca20cd
                                                                                                                                                                                                        • Instruction ID: 6dc8584f169a539e84a23951926e580da7571a72341c546c4d19c22215a23e3b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 586befbb37b3ac3df664cf638516b70b2a096b2293acb9955518a708a2ca20cd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEF0C837505610AFCB01EF5CC841ADF77F8EFC6224F84489AE998C3611D734A45A9BD2
                                                                                                                                                                                                        Function 6C7820B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID: Version
                                                                                                                                                                                                        • API String ID: 4018760208-1889659487
                                                                                                                                                                                                        • Opcode ID: 86dfc8e6a171d196f5d5aeb7d890dd6601d3eb0e1db5467d98eab1de4773d94d
                                                                                                                                                                                                        • Instruction ID: c5a3323865f7532d6222e87070dcdb6f2d1ea1f40638cd696cc5d6e25512c315
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86dfc8e6a171d196f5d5aeb7d890dd6601d3eb0e1db5467d98eab1de4773d94d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6018F725092109BC700DF69C88478BFBF8AF85625F44496AF998C7251D378E6098BE2
                                                                                                                                                                                                        Function 6C782030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 6C792160: PR_CallOnce.NSPR4(6C799070,6C792220,6C78206C), ref: 6C792173
                                                                                                                                                                                                        • PR_Lock.NSPR4(?), ref: 6C782072
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C78208D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CallLockOnceUnlock
                                                                                                                                                                                                        • String ID: global-salt
                                                                                                                                                                                                        • API String ID: 2491243522-230581044
                                                                                                                                                                                                        • Opcode ID: a98f14688479e40a58664c84f1025e10d146f1ee30db94f906a04cd2940e323b
                                                                                                                                                                                                        • Instruction ID: fcb2d3e19f898d5f2defbb7fb1ecfb47e8244e6a5c5eeb4bd3edfec26abe4512
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a98f14688479e40a58664c84f1025e10d146f1ee30db94f906a04cd2940e323b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 180116726082159FD710DF68C849A9BB7F8BF89708F000A2EF995D3240D774AA498BD6
                                                                                                                                                                                                        Function 6C7818D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID: dsyl
                                                                                                                                                                                                        • API String ID: 4018760208-2035189389
                                                                                                                                                                                                        • Opcode ID: c9529094db0531e38604d03446579c427e9099c774a29216a383068e66a888c2
                                                                                                                                                                                                        • Instruction ID: 971b7aa758e9dc137c9b14e778e8c841a8ab693a53361b04e2975b74212268b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9529094db0531e38604d03446579c427e9099c774a29216a383068e66a888c2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDF096779012109BD700DF98C905A8BB7FCEFD5650F454869FA54C3211D334D60987E3
                                                                                                                                                                                                        Function 6C78BC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,00000068,@0,?,?,00000000,6C78BED2,?,00000008,?), ref: 6C78BC3A
                                                                                                                                                                                                        • SECITEM_CopyItem_Util.NSSUTIL3(?,00000078,6C78BF4A,?,00000008,?), ref: 6C78BC4F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CopyItem_Util
                                                                                                                                                                                                        • String ID: @0
                                                                                                                                                                                                        • API String ID: 1930918740-2957544255
                                                                                                                                                                                                        • Opcode ID: 9c7d712464607770bbeb5d8c56d626798dd6019aa389fc31881c8edbf9f31645
                                                                                                                                                                                                        • Instruction ID: 18e8dde6a5a7c92c882b9c9caaedc13ff685ee9c3c8a908ce2a1a52541cc3451
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c7d712464607770bbeb5d8c56d626798dd6019aa389fc31881c8edbf9f31645
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80F030B71056126B9700CE96ED80DD7B3ACAF85279B040632FA24C2612E721E659C7E1
                                                                                                                                                                                                        Function 6C78DDD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PORT_ArenaAlloc_Util.NSSUTIL3(00000000,00000001,00000000,00000000,6C78E977,?,00000000,?,?,?,?,00000000,?,?,6C790BAD,?), ref: 6C78DDED
                                                                                                                                                                                                        • memcpy.MSVCR120(00000001,?,00000000,00000000,?,?,?,?,00000000,?,?,6C790BAD,?,?,6C78F389,?), ref: 6C78DE04
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Alloc_ArenaUtilmemcpy
                                                                                                                                                                                                        • String ID: wxl
                                                                                                                                                                                                        • API String ID: 9930719-638853590
                                                                                                                                                                                                        • Opcode ID: e63fe404fe5944d6190679aa4e0afa7d6f3c67cc004e9c2f975102e6a5a9b144
                                                                                                                                                                                                        • Instruction ID: f9e4a8354896b9bb2f18062efd75cc938244d19833bc751bd8a9708d0a3cc6f1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e63fe404fe5944d6190679aa4e0afa7d6f3c67cc004e9c2f975102e6a5a9b144
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1EF02771504A02AFDB01DB2CFE40517F7E8EF51220F00893AE4B9C3A60C730E86187A0
                                                                                                                                                                                                        Function 6C789AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32stringCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • strncmp.MSVCR120 ref: 6C789AED
                                                                                                                                                                                                        • PORT_Strdup_Util.NSSUTIL3(0000000C), ref: 6C789AFE
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Strdup_Utilstrncmp
                                                                                                                                                                                                        • String ID: multiaccess:
                                                                                                                                                                                                        • API String ID: 1519154206-235900168
                                                                                                                                                                                                        • Opcode ID: 7c0355746c55a7360d11502a830d34fb6bf7ff49206c9256a54cd4f893da84ee
                                                                                                                                                                                                        • Instruction ID: 299afbd7e50ac5fa906f00a898cc9a20aa1444e3a53e84bb4e80f98ef0c40385
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c0355746c55a7360d11502a830d34fb6bf7ff49206c9256a54cd4f893da84ee
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EFF02760A1A3E25FF7125FA496407C17FD89F12708F2808BCD6D1C7581E7649681C392
                                                                                                                                                                                                        Function 6C781D00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Lock.NSPR4(?,?,?,6C782F66,?,?), ref: 6C781D0C
                                                                                                                                                                                                        • PR_Unlock.NSPR4(?), ref: 6C781D27
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LockUnlock
                                                                                                                                                                                                        • String ID: psyl
                                                                                                                                                                                                        • API String ID: 4018760208-2788509253
                                                                                                                                                                                                        • Opcode ID: 1bc01426a8a70776e7c4cdc05440e30936c6d326662b1a0c796700f098e4cc3a
                                                                                                                                                                                                        • Instruction ID: 4a141625869157fd03f78b018f8878587c396a31f63376581968805d0cddf7da
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1bc01426a8a70776e7c4cdc05440e30936c6d326662b1a0c796700f098e4cc3a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0E0EC36604110AFCB029F99DC04C5FFBB9EFDA661B05846AFA54D3220C331EC179BA2
                                                                                                                                                                                                        Function 6C7F8520 Relevance: 5.2, APIs: 4, Instructions: 249COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memset$memcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 368790112-0
                                                                                                                                                                                                        • Opcode ID: d03543812f1eea952c837e530d9aff24fe4617ea36b4d6192e1f8f4f57176893
                                                                                                                                                                                                        • Instruction ID: f1f14c7fb4311f762b4fbaab2a30653fe8500c7638c52d5df2cf761d3ff11710
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d03543812f1eea952c837e530d9aff24fe4617ea36b4d6192e1f8f4f57176893
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFA171716047018FD720CF2AC9C0B5AB7E1FF86318F54492DD4A98BB91E775E90ACB51
                                                                                                                                                                                                        Function 6C793DB0 Relevance: 5.2, APIs: 4, Instructions: 204COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: malloc$freememset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2835137314-0
                                                                                                                                                                                                        • Opcode ID: fcb04926f1e80c141da7fc95c86352ab42c270ebb70e97aba2e34a5e726e5cac
                                                                                                                                                                                                        • Instruction ID: 85358b2145edc4269589dd6c75e04a22616d86d4eeddebcf0733f9048e2076e1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fcb04926f1e80c141da7fc95c86352ab42c270ebb70e97aba2e34a5e726e5cac
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E681C0742057029FE710CF19D684B52BBF5FF45318F1486A9EDA98BB81D331E855CBA0
                                                                                                                                                                                                        Function 6C7EAD50 Relevance: 5.2, APIs: 4, Instructions: 165COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059640397.000000006C7A1000.00000020.00000001.01000000.00000016.sdmp, Offset: 6C7A0000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059611890.000000006C7A0000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060045867.000000006C808000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060120955.000000006C812000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2060152574.000000006C814000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c7a0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                                                                                        • Opcode ID: bcb9c040c4360568e2e8f95e5894d276e411c303df4973bb5014f5dc7a5b8d9b
                                                                                                                                                                                                        • Instruction ID: d46fa9c60ab2c63834cec841f30451c29bbfeef2068075c51129907001787a24
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bcb9c040c4360568e2e8f95e5894d276e411c303df4973bb5014f5dc7a5b8d9b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA51B0B1A007019FC360DF28CD45B47BBE4BF88724F544A2DE9A8DB781E775E4088B92
                                                                                                                                                                                                        Function 6C793AC0 Relevance: 5.1, APIs: 4, Instructions: 92COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1294909896-0
                                                                                                                                                                                                        • Opcode ID: 976558ec4d37930b21809ab327aa13d46c29139563aa6ca997a344f67a19d0ba
                                                                                                                                                                                                        • Instruction ID: 8b02a1821a52509c03ef276bc27136157b3201f557049372ee024acc1b92e4de
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 976558ec4d37930b21809ab327aa13d46c29139563aa6ca997a344f67a19d0ba
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 632182716057008FD720CE28FA80B67B3E4EF46618F144A7DE99997B41D336E845CBD1
                                                                                                                                                                                                        Function 6C748FA0 Relevance: 5.1, APIs: 4, Instructions: 89COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: memset$callocfree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 814206181-0
                                                                                                                                                                                                        • Opcode ID: 39aac7b5bdb6c4ecb1e26d31eb850b8a89b8ea90e10e62bfc08044b667199dc0
                                                                                                                                                                                                        • Instruction ID: 302f4b6719149d48009e9202167f47edd0cf5633b60f9a9d1e724612147b13c9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39aac7b5bdb6c4ecb1e26d31eb850b8a89b8ea90e10e62bfc08044b667199dc0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0321077160530A8BE300DF988A80B6B76EDEB98358F544A3DE954C3690F7B1991887D1
                                                                                                                                                                                                        Function 6C74C590 Relevance: 5.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: callocfreememcpymemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2163159207-0
                                                                                                                                                                                                        • Opcode ID: 0832d607a22a037bb5f5a95263e6ca4bcf5b861254905a4fc87e7757b24290f1
                                                                                                                                                                                                        • Instruction ID: e861a3d3ddc90cae7bf33ee8162610e50af2f3f92e5ea2e066fa883ede4ca907
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0832d607a22a037bb5f5a95263e6ca4bcf5b861254905a4fc87e7757b24290f1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3421B3B1700606AFD704DF59C984E65F7A9FF84215B40C23AE918CBA41EB71E828CBD1
                                                                                                                                                                                                        Function 6C74BA00 Relevance: 5.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • calloc.MSVCR120 ref: 6C74BA25
                                                                                                                                                                                                        • memcpy.MSVCR120(00000000,C12BC38B,C35D5E5F,?,?,?,?,?,?,?,?,00000000,?,6C72D8D5,00000000,?), ref: 6C74BA46
                                                                                                                                                                                                        • memset.MSVCR120 ref: 6C74BA57
                                                                                                                                                                                                        • free.MSVCR120 ref: 6C74BA67
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059008296.000000006C721000.00000020.00000001.01000000.00000018.sdmp, Offset: 6C720000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2058980283.000000006C720000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059255835.000000006C75E000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059342751.000000006C76E000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059372780.000000006C773000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c720000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: callocfreememcpymemset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2163159207-0
                                                                                                                                                                                                        • Opcode ID: 17d5ccd2f15720ec7ddabd7f4e70098981c1852ed3cce0ad5acb306a847aef2a
                                                                                                                                                                                                        • Instruction ID: 0416e0afd24a2f69c011fc52b1122a6b6d61c76873cfe252662b708e9a55d347
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17d5ccd2f15720ec7ddabd7f4e70098981c1852ed3cce0ad5acb306a847aef2a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F015EB2700600AFEB10DB59DD85E6B77E9EB84315B44C83DE55AC6A00DA74FC198B60
                                                                                                                                                                                                        Function 6C792F80 Relevance: 5.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001D.00000002.2059439694.000000006C781000.00000020.00000001.01000000.00000017.sdmp, Offset: 6C780000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059409239.000000006C780000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059543592.000000006C797000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001D.00000002.2059578524.000000006C79A000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_29_2_6c780000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: freemallocmemmovememset
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1050734653-0
                                                                                                                                                                                                        • Opcode ID: e808ffa21914411fe51525c5699c7a0ac731ce3c8c60aa8268dafd0cf77e0e72
                                                                                                                                                                                                        • Instruction ID: 3358334ee98f530fe464e4f7d4da62d64568e90022fee2285b48c4d22aad2023
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e808ffa21914411fe51525c5699c7a0ac731ce3c8c60aa8268dafd0cf77e0e72
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CAF0E572200306AFDB006FEDED88A4BBBBCEF49615F100075FA05D3201DB72A9248BB1

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 73D81FB0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_GetError.NSPR4 ref: 73D81FB5
                                                                                                                                                                                                        • PR_GetOSError.NSPR4 ref: 73D81FBD
                                                                                                                                                                                                        • PR_ErrorToName.NSPR4(00000000), ref: 73D81FC6
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?,%s: ,?), ref: 73D81FEC
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?, (%d)OUT OF RANGE, oserror = %d,00000000,00000000), ref: 73D82001
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?,%s(%d), oserror = %d,00000000,00000000,00000000), ref: 73D82013
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001F.00000002.2070733064.0000000073D81000.00000020.00000001.01000000.00000012.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001F.00000002.2070708035.0000000073D80000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001F.00000002.2070760446.0000000073D83000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_31_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorR_fprintf$Name
                                                                                                                                                                                                        • String ID: (%d)OUT OF RANGE, oserror = %d$%s(%d), oserror = %d$%s:
                                                                                                                                                                                                        • API String ID: 4154372385-1619349177
                                                                                                                                                                                                        • Opcode ID: 895596d5dd12f1d4b6b2ed1489076ae0e2e6d448620775a03c5337cfe83ecf5c
                                                                                                                                                                                                        • Instruction ID: 868fd033d1a613f6a783e0adcb847c69a132998cc045c2aaaa089fe53a40c013
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 895596d5dd12f1d4b6b2ed1489076ae0e2e6d448620775a03c5337cfe83ecf5c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2CF0CD777012056FD7007B399C48AFFB75CEE811697150525FC4EA3202E753B51949A6
                                                                                                                                                                                                        Function 73D82050 Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE89D,?), ref: 73D8205F
                                                                                                                                                                                                        • PR_Calloc.NSPR4(00000001,00000014), ref: 73D82071
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE890,00000000), ref: 73D82086
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001F.00000002.2070733064.0000000073D81000.00000020.00000001.01000000.00000012.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001F.00000002.2070708035.0000000073D80000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001F.00000002.2070760446.0000000073D83000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_31_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error$Calloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4207371845-0
                                                                                                                                                                                                        • Opcode ID: 40fc10f7f322eaa5ec9c648a75e678dace9f2147034d9a6bdf856d4241397909
                                                                                                                                                                                                        • Instruction ID: eb5ff56d456281501069c51bef521194fa054acb67f4a328ca9984530628bff4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 40fc10f7f322eaa5ec9c648a75e678dace9f2147034d9a6bdf856d4241397909
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E62162B6610701AFD320DF6ADC48747BBE4FB84726F20452DE59EC7280D375A028CBA5
                                                                                                                                                                                                        Function 73D6D4F0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • -----END CERTIFICATE-----, xrefs: 73D6D792
                                                                                                                                                                                                        • -----BEGIN CERTIFICATE-----, xrefs: 73D6D712
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 0000001F.00000002.2070561384.0000000073D61000.00000020.00000001.01000000.00000011.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 0000001F.00000002.2070537522.0000000073D60000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001F.00000002.2070656074.0000000073D73000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        • Associated: 0000001F.00000002.2070683570.0000000073D79000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_31_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: -----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----
                                                                                                                                                                                                        • API String ID: 0-2949388839
                                                                                                                                                                                                        • Opcode ID: e448127730d45394e4469e982bd1287da468c1d755c84dfbeb26a0008bc0d472
                                                                                                                                                                                                        • Instruction ID: e4c4c7122c0b06a0ee186804764248e8ab7beae8554d19c6636719738d3a6bf5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e448127730d45394e4469e982bd1287da468c1d755c84dfbeb26a0008bc0d472
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B918C739043508BE7025A2C6C6076AB7A59BC1AB1F5C076AECF7A51C2F319C52587E3

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:1.3%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                        Signature Coverage:4.4%
                                                                                                                                                                                                        Total number of Nodes:365
                                                                                                                                                                                                        Total number of Limit Nodes:33
                                                                                                                                                                                                        execution_graph 26369 73d67e10 26370 73d67e5b 26369->26370 26399 73d75d90 26370->26399 26373 73d67e76 26375 73d67ec2 WideCharToMultiByte 26373->26375 26374 73d67e7a MultiByteToWideChar 26376 73d67eaf MultiByteToWideChar 26374->26376 26381 73d67e96 26374->26381 26379 73d67ee8 26375->26379 26376->26375 26377 73d67eff GetLastError 26376->26377 26380 73d67f07 26377->26380 26378 73d67f9a WideCharToMultiByte 26378->26377 26382 73d67fb8 26378->26382 26379->26377 26379->26378 26412 73d6c2d0 23 API calls ___DllMainCRTStartup 26380->26412 26381->26376 26381->26377 26408 73d68070 26382->26408 26385 73d67f12 26413 73d64f60 WideCharToMultiByte WideCharToMultiByte IsProcessorFeaturePresent IsDebuggerPresent 26385->26413 26387 73d67fc1 26387->26377 26390 73d67fe4 LoadLibraryExW 26387->26390 26391 73d67f48 26387->26391 26389 73d67f24 26389->26391 26414 73d6c2f0 23 API calls ___DllMainCRTStartup 26389->26414 26394 73d68016 26390->26394 26395 73d68000 GetLastError 26390->26395 26415 73d75df0 23 API calls ___DllMainCRTStartup 26391->26415 26392 73d67f78 26416 73d7d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26392->26416 26394->26391 26417 73d63eb0 36 API calls ___DllMainCRTStartup 26394->26417 26395->26380 26397 73d67f8f 26418 73d78d40 TlsGetValue 26399->26418 26403 73d75dd6 26425 73d76710 26403->26425 26404 73d75da7 26404->26403 26431 73d764f0 27 API calls ___DllMainCRTStartup 26404->26431 26407 73d67e6b 26407->26373 26407->26374 26409 73d68089 26408->26409 26410 73d680c5 26409->26410 26434 73d63eb0 36 API calls ___DllMainCRTStartup 26409->26434 26410->26387 26412->26385 26413->26389 26414->26391 26415->26392 26416->26397 26417->26391 26419 73d78d50 26418->26419 26420 73d75d98 26418->26420 26432 73d76e60 23 API calls ___DllMainCRTStartup 26419->26432 26422 73d76660 26420->26422 26423 73d78d40 ___DllMainCRTStartup 22 API calls 26422->26423 26424 73d76667 RtlEnterCriticalSection 26423->26424 26424->26404 26426 73d78d40 ___DllMainCRTStartup 23 API calls 26425->26426 26427 73d76715 26426->26427 26428 73d7671e 26427->26428 26433 73d79fa0 5 API calls ___DllMainCRTStartup 26427->26433 26428->26407 26430 73d76732 26430->26407 26431->26404 26432->26420 26433->26430 26434->26410 26435 73d78ed0 26436 73d78f06 CreateSemaphoreA 26435->26436 26437 73d78ede GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 26435->26437 26437->26436 26438 73d75d50 26445 73d76520 26438->26445 26440 73d75d61 26441 73d76520 RtlDeleteCriticalSection 26440->26441 26442 73d75d6d 26441->26442 26448 73d76740 RtlDeleteCriticalSection 26442->26448 26444 73d75d76 26449 73d79ec0 26445->26449 26447 73d7652e RtlDeleteCriticalSection 26447->26440 26448->26444 26449->26447 26450 73d75ed0 26451 73d75ed9 26450->26451 26452 73d75f06 26451->26452 26453 73d75ef4 26451->26453 26468 73d76750 23 API calls ___DllMainCRTStartup 26452->26468 26467 73d6c2d0 23 API calls ___DllMainCRTStartup 26453->26467 26456 73d75eff 26457 73d75f11 26458 73d75f55 26457->26458 26469 73d76540 23 API calls ___DllMainCRTStartup 26457->26469 26460 73d75f2b 26461 73d75f4c 26460->26461 26470 73d76540 23 API calls ___DllMainCRTStartup 26460->26470 26471 73d76740 RtlDeleteCriticalSection 26461->26471 26464 73d75f3f 26465 73d75f67 26464->26465 26466 73d76520 RtlDeleteCriticalSection 26464->26466 26466->26461 26467->26456 26468->26457 26469->26460 26470->26464 26471->26458 26472 73d73f70 26473 73d73f88 26472->26473 26482 73d797d0 26473->26482 26475 73d73f9b 26476 73d73fdf 26475->26476 26487 73d74180 23 API calls ___DllMainCRTStartup 26475->26487 26478 73d73fb0 26479 73d73fc8 26478->26479 26488 73d79100 CloseHandle 26478->26488 26481 73d73fbf 26483 73d797dd CreateFileA 26482->26483 26485 73d79854 26483->26485 26486 73d79848 GetLastError 26483->26486 26485->26475 26486->26485 26487->26478 26489 73d79119 GetLastError 26488->26489 26490 73d79125 26488->26490 26489->26490 26490->26481 26491 73d74070 26494 73d79c30 MoveFileA 26491->26494 26493 73d7407d 26495 73d79c45 GetLastError 26494->26495 26496 73d79c42 26494->26496 26497 73d79c51 26495->26497 26496->26493 26497->26493 26498 73d73d70 26501 73d79220 DeleteFileA 26498->26501 26500 73d73d79 26502 73d79231 GetLastError 26501->26502 26503 73d7922e 26501->26503 26504 73d7923d 26502->26504 26503->26500 26504->26500 26505 73db14d0 26506 73db14db 26505->26506 26507 73db14f2 26505->26507 26508 73db14e2 PR_Free 26506->26508 26508->26507 26508->26508 26509 73d6cc00 26514 73d6cf90 26509->26514 26513 73d6cc1c 26515 73d6cc06 26514->26515 26516 73d6cf9d 26514->26516 26573 73d6c850 26515->26573 26625 73d68190 26516->26625 26520 73d6cfb6 26629 73d64270 23 API calls 26520->26629 26522 73d6cfc5 26630 73d64270 23 API calls 26522->26630 26524 73d6cfd4 26631 73d64270 23 API calls 26524->26631 26526 73d6cfe3 26632 73d64270 23 API calls 26526->26632 26528 73d6cff2 26633 73d64270 23 API calls 26528->26633 26530 73d6d001 26634 73d64270 23 API calls 26530->26634 26532 73d6d010 26635 73d64270 23 API calls 26532->26635 26534 73d6d01f 26636 73d64270 23 API calls 26534->26636 26536 73d6d02e 26637 73d64270 23 API calls 26536->26637 26538 73d6d03d 26638 73d64270 23 API calls 26538->26638 26540 73d6d04c 26639 73d78e50 TlsAlloc TlsAlloc TlsAlloc 26540->26639 26542 73d6d056 26640 73d76870 23 API calls 26542->26640 26544 73d6d06a 26641 73d6c250 23 API calls 26544->26641 26546 73d6d074 26642 73d63d40 23 API calls 26546->26642 26548 73d6d079 26643 73d76680 26548->26643 26550 73d6d083 26647 73d77820 37 API calls ___DllMainCRTStartup 26550->26647 26552 73d6d093 26648 73d670b0 38 API calls 26552->26648 26554 73d6d098 26649 73d74300 26554->26649 26558 73d6d0a2 26679 73d73770 23 API calls 26558->26679 26560 73d6d0a7 26680 73d643d0 28 API calls ___DllMainCRTStartup 26560->26680 26562 73d6d0ac 26681 73d67c30 43 API calls 26562->26681 26564 73d6d0b1 26565 73d76680 23 API calls 26564->26565 26566 73d6d0b6 26565->26566 26682 73d76410 26566->26682 26568 73d6d0c1 26693 73d6a390 23 API calls 26568->26693 26570 73d6d0ce 26694 73d62130 23 API calls 26570->26694 26572 73d6d0d3 26572->26515 26740 73d75990 23 API calls ___DllMainCRTStartup 26573->26740 26575 73d6c9c4 26575->26513 26576 73d6c883 26579 73d76660 ___DllMainCRTStartup 23 API calls 26576->26579 26577 73d6c856 26577->26575 26577->26576 26750 73d63eb0 36 API calls ___DllMainCRTStartup 26577->26750 26580 73d6c89b 26579->26580 26581 73d6c8cd 26580->26581 26751 73d764f0 27 API calls ___DllMainCRTStartup 26580->26751 26583 73d76710 ___DllMainCRTStartup 23 API calls 26581->26583 26584 73d6c8ef 26583->26584 26741 73d620e0 25 API calls 26584->26741 26586 73d6c8f4 26742 73d73750 RtlDeleteCriticalSection 26586->26742 26588 73d6c8f9 26743 73d6a360 RtlDeleteCriticalSection 26588->26743 26590 73d6c8fe 26744 73d76640 RtlDeleteCriticalSection 26590->26744 26592 73d6c909 26746 73d763e0 RtlDeleteCriticalSection 26592->26746 26594 73d6c91e 26747 73d67cc0 RtlDeleteCriticalSection RtlDeleteCriticalSection 26594->26747 26596 73d6c92d 26748 73d6e8f0 RtlDeleteCriticalSection 26596->26748 26598 73d6c932 26749 73d74280 25 API calls 26598->26749 26600 73d6c937 ___DllMainCRTStartup 26601 73d6c955 26600->26601 26602 73d63eb0 36 API calls 26600->26602 26603 73d64640 8 API calls 26601->26603 26602->26601 26604 73d6c95d 26603->26604 26605 73d78e80 CloseHandle CloseHandle TlsSetValue 26604->26605 26606 73d6c963 26605->26606 26607 73d77b00 RtlDeleteCriticalSection RtlDeleteCriticalSection 26606->26607 26608 73d6c969 26607->26608 26609 73d771a0 RtlDeleteCriticalSection RtlDeleteCriticalSection 26608->26609 26610 73d6c96e 26609->26610 26611 73d66ff0 RtlDeleteCriticalSection RtlDeleteCriticalSection RtlDeleteCriticalSection 26610->26611 26612 73d6c973 26611->26612 26613 73d76640 RtlDeleteCriticalSection 26612->26613 26614 73d6c97e 26613->26614 26615 73d63cb0 RtlDeleteCriticalSection 26614->26615 26616 73d6c990 26615->26616 26617 73d6c230 RtlDeleteCriticalSection 26616->26617 26618 73d6c995 26617->26618 26619 73d767f0 RtlDeleteCriticalSection 26618->26619 26620 73d6c99a 26619->26620 26621 73d6c9ae 26620->26621 26623 73d76640 RtlDeleteCriticalSection 26620->26623 26622 73d78d60 FreeSid WSACleanup TlsFree TlsFree TlsFree 26621->26622 26624 73d6c9b6 26622->26624 26623->26621 26624->26513 26626 73d6819c GetSystemInfo 26625->26626 26627 73d681b6 26625->26627 26626->26627 26628 73d64270 23 API calls 26627->26628 26628->26520 26629->26522 26630->26524 26631->26526 26632->26528 26633->26530 26634->26532 26635->26534 26636->26536 26637->26538 26638->26540 26639->26542 26640->26544 26641->26546 26642->26548 26644 73d76689 26643->26644 26646 73d766ad 26644->26646 26695 73d79f00 23 API calls ___DllMainCRTStartup 26644->26695 26646->26550 26647->26552 26648->26554 26650 73d74309 26649->26650 26696 73d611b0 26650->26696 26653 73d76680 23 API calls 26654 73d74315 26653->26654 26655 73d76410 23 API calls 26654->26655 26656 73d74320 GetStdHandle 26655->26656 26703 73d610d0 26656->26703 26658 73d74339 26662 73d7433f GetStdHandle 26658->26662 26723 73d6c2d0 23 API calls ___DllMainCRTStartup 26658->26723 26661 73d610d0 23 API calls 26663 73d74372 26661->26663 26662->26661 26664 73d74378 GetStdHandle 26663->26664 26724 73d6c2d0 23 API calls ___DllMainCRTStartup 26663->26724 26667 73d610d0 23 API calls 26664->26667 26668 73d743ab 26667->26668 26670 73d743b1 26668->26670 26725 73d6c2d0 23 API calls ___DllMainCRTStartup 26668->26725 26671 73d79570 WSAStartup 26670->26671 26708 73d78930 GetCurrentProcess OpenProcessToken 26671->26708 26673 73d79597 26726 73d7a7f0 GetVersionExA IsProcessorFeaturePresent IsDebuggerPresent ___DllMainCRTStartup 26673->26726 26675 73d7959c 26727 73d7d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26675->26727 26677 73d6d09d 26678 73d6e910 23 API calls 26677->26678 26678->26558 26679->26560 26680->26562 26681->26564 26683 73d7641d 26682->26683 26684 73d76426 26683->26684 26685 73d76474 26683->26685 26688 73d7643f 26684->26688 26737 73d79f00 23 API calls ___DllMainCRTStartup 26684->26737 26739 73d6c2d0 23 API calls ___DllMainCRTStartup 26685->26739 26687 73d76480 26687->26568 26692 73d76462 26688->26692 26738 73d6c2d0 23 API calls ___DllMainCRTStartup 26688->26738 26691 73d76452 26691->26568 26692->26568 26693->26570 26694->26572 26695->26646 26728 73d6c180 26696->26728 26699 73d6c180 23 API calls 26700 73d611c8 26699->26700 26701 73d76680 23 API calls 26700->26701 26702 73d61247 26701->26702 26702->26653 26704 73d6113c 26703->26704 26706 73d610de 26703->26706 26704->26658 26705 73d76660 ___DllMainCRTStartup 23 API calls 26705->26706 26706->26704 26706->26705 26707 73d76710 ___DllMainCRTStartup 23 API calls 26706->26707 26707->26706 26709 73d78973 26708->26709 26710 73d789ab GetTokenInformation GetLengthSid 26708->26710 26712 73d78982 GetLastError 26709->26712 26713 73d78a61 26709->26713 26711 73d68120 26710->26711 26714 73d789d9 CopySid GetTokenInformation GetLengthSid 26711->26714 26734 73d63eb0 36 API calls ___DllMainCRTStartup 26712->26734 26736 73d7d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26713->26736 26717 73d68120 26714->26717 26721 73d78a1e CopySid CloseHandle AllocateAndInitializeSid 26717->26721 26718 73d78a6f 26718->26673 26719 73d78993 26735 73d7d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26719->26735 26721->26713 26722 73d789a4 26722->26673 26723->26662 26724->26664 26725->26670 26726->26675 26727->26677 26729 73d6c189 26728->26729 26730 73d6c19d 26729->26730 26731 73d76660 ___DllMainCRTStartup 23 API calls 26729->26731 26732 73d611bc 26730->26732 26733 73d76710 ___DllMainCRTStartup 23 API calls 26730->26733 26731->26730 26732->26699 26733->26732 26734->26719 26735->26722 26736->26718 26737->26688 26738->26691 26739->26687 26740->26577 26741->26586 26742->26588 26743->26590 26745 73d76655 26744->26745 26745->26592 26746->26594 26747->26596 26748->26598 26750->26576 26751->26580 26752 73d630a0 26759 73d6e920 26752->26759 26756 73d630a9 26758 73d630cb 26756->26758 26766 73d638d0 23 API calls ___DllMainCRTStartup 26756->26766 26762 73d6e937 26759->26762 26763 73d67510 32 API calls 26762->26763 26764 73d630a5 26762->26764 26767 73d67950 47 API calls 26762->26767 26768 73d67b00 26762->26768 26763->26762 26764->26756 26765 73d75780 32 API calls 26764->26765 26765->26756 26766->26758 26767->26762 26769 73d67b20 26768->26769 26770 73d67b0c 26768->26770 26772 73d75d90 27 API calls 26769->26772 26796 73d6c2d0 23 API calls ___DllMainCRTStartup 26770->26796 26774 73d67b2b 26772->26774 26773 73d67b17 26773->26762 26775 73d67b55 26774->26775 26776 73d67b35 26774->26776 26778 73d67b8f 26775->26778 26779 73d67b5d 26775->26779 26797 73d75df0 23 API calls ___DllMainCRTStartup 26776->26797 26780 73d67b96 FreeLibrary 26778->26780 26792 73d67ba0 26778->26792 26782 73d67b6c 26779->26782 26790 73d67bf6 26779->26790 26780->26792 26781 73d67b40 26798 73d6c2d0 23 API calls ___DllMainCRTStartup 26781->26798 26799 73d63eb0 36 API calls ___DllMainCRTStartup 26782->26799 26784 73d67baa 26784->26790 26802 73d63eb0 36 API calls ___DllMainCRTStartup 26784->26802 26787 73d67b79 26800 73d75df0 23 API calls ___DllMainCRTStartup 26787->26800 26788 73d67c1b 26788->26762 26789 73d67b4c 26789->26762 26803 73d75df0 23 API calls ___DllMainCRTStartup 26790->26803 26792->26784 26801 73d6c2d0 23 API calls ___DllMainCRTStartup 26792->26801 26794 73d67b87 26794->26762 26796->26773 26797->26781 26798->26789 26799->26787 26800->26794 26801->26784 26802->26790 26803->26788 26804 73d79460 GetFileInformationByHandle 26805 73d7948b GetLastError 26804->26805 26809 73d794ad __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 26804->26809 26806 73d79497 26805->26806 26812 73d7d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26806->26812 26808 73d794a9 26813 73d7d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26809->26813 26811 73d79543 26812->26808 26813->26811 26814 73d738e0 26815 73d78d40 ___DllMainCRTStartup 23 API calls 26814->26815 26816 73d738e9 26815->26816 26822 73d73912 26816->26822 26832 73d6c2d0 23 API calls ___DllMainCRTStartup 26816->26832 26817 73d73921 26833 73d6c2d0 23 API calls ___DllMainCRTStartup 26817->26833 26820 73d73936 26821 73d7393b 26820->26821 26828 73d79b40 ReadFile 26820->26828 26822->26817 26822->26820 26823 73d7392d 26825 73d73951 26826 73d7396d 26825->26826 26834 73d63eb0 36 API calls ___DllMainCRTStartup 26825->26834 26829 73d79b64 GetLastError 26828->26829 26830 73d79b81 26828->26830 26831 73d79b6f 26829->26831 26830->26825 26831->26825 26832->26822 26833->26823 26834->26826 26835 73db10c0 26836 73db10d6 26835->26836 26837 73db1204 26836->26837 26838 73db10ea PR_CallOnce 26836->26838 26839 73db11ff 26838->26839 26840 73db1106 PR_Lock 26838->26840 26841 73db1138 PR_Unlock 26840->26841 26842 73db1122 26840->26842 26843 73db114e 26841->26843 26842->26841 26845 73db11b5 PR_Unlock 26842->26845 26844 73db1164 PR_Malloc 26843->26844 26847 73db117d 26843->26847 26844->26847 26848 73db11f0 26845->26848

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 73D78930 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 86memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,?), ref: 73D78962
                                                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 73D78969
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D78982
                                                                                                                                                                                                          • Part of subcall function 73D63EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D63FD4
                                                                                                                                                                                                        • GetTokenInformation.KERNELBASE(?,00000004,?,00000400,00000000), ref: 73D789BF
                                                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 73D789C9
                                                                                                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 73D789EA
                                                                                                                                                                                                        • GetTokenInformation.KERNELBASE(?,00000005(TokenIntegrityLevel),?,00000400,00000000), ref: 73D78A04
                                                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 73D78A0E
                                                                                                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 73D78A2F
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 73D78A39
                                                                                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,73D882B4), ref: 73D78A5B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _PR_NT_InitSids: OpenProcessToken() failed. Error: %d, xrefs: 73D78989
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Token$CopyInformationLengthProcess$AllocateCloseCriticalCurrentEnterErrorHandleInitializeLastOpenSection
                                                                                                                                                                                                        • String ID: _PR_NT_InitSids: OpenProcessToken() failed. Error: %d
                                                                                                                                                                                                        • API String ID: 2490781191-1216436346
                                                                                                                                                                                                        • Opcode ID: fcdbf64d319de87303b0bbfeda21d96b91dcff65d106e4b285ed556fdce3c783
                                                                                                                                                                                                        • Instruction ID: acdd6864f1e205196349fdfb1c92486cfae958ff75c20ffb9956fbcba1aad42e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fcdbf64d319de87303b0bbfeda21d96b91dcff65d106e4b285ed556fdce3c783
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE313EB3515300EFE710EF61CC09BAA7BE9FB84704F504828F699D6190E7359958CB67
                                                                                                                                                                                                        Function 73D68190 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 250 73d68190-73d6819a 251 73d681d7-73d681da 250->251 252 73d6819c-73d681b4 GetSystemInfo 250->252 253 73d681c6-73d681d5 252->253 254 73d681b6-73d681c5 252->254 253->251
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetSystemInfo.KERNELBASE(?), ref: 73D681A1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InfoSystem
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 31276548-0
                                                                                                                                                                                                        • Opcode ID: 6343077e7909bde0d04345356f16badd3fdbe31d39aaa77b5316ef6709618890
                                                                                                                                                                                                        • Instruction ID: 4fd9c014346496fc8ee870ec3a6df83cda591992d6d5f317590f81e0f598b767
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6343077e7909bde0d04345356f16badd3fdbe31d39aaa77b5316ef6709618890
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7E0ED77521204CFD304EF2ACD867967BE8B748760F94052DD94DC2240E739A4498B05
                                                                                                                                                                                                        Function 73D67E10 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 73D67E85
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 73D67EB8
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 73D67ED4
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D67EFF
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 73D67FAA
                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,?), ref: 73D67FF4
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D68000
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharMultiWide$ErrorLast$LibraryLoad
                                                                                                                                                                                                        • String ID: Loaded library %s (load lib)$error %d
                                                                                                                                                                                                        • API String ID: 2288181798-2368894446
                                                                                                                                                                                                        • Opcode ID: 90a35d77db98a43c9a68b830b985839233507a76a819cc4b8c8ff8de373f32b4
                                                                                                                                                                                                        • Instruction ID: 672bf0e46721d9cab0919668b97e06647afd6e2aa7bcd8a59f86a6f85f1778b3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90a35d77db98a43c9a68b830b985839233507a76a819cc4b8c8ff8de373f32b4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3051E972644305EBE321AF25CC05F5B76ECAB407A0F240528F96AB72C1E775E508CBA2
                                                                                                                                                                                                        Function 73DB10C0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2086425690.0000000073DB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73DB0000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086396192.0000000073DB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086457689.0000000073DB3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73db0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unlock$CallLockMallocOnce
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3503020682-0
                                                                                                                                                                                                        • Opcode ID: f179e12b730a16de8687b88f770896649da43bc3ea6cbe6b887edbcdf3c42adc
                                                                                                                                                                                                        • Instruction ID: 956eac23dc1c46b9b4f4cd5ce6c0fdbf2d6238ee3c094373655b8000afbe56ed
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f179e12b730a16de8687b88f770896649da43bc3ea6cbe6b887edbcdf3c42adc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF41B072601711CFDB15CF29D880606B7F2FF8476132846A9E89BDB355E735E869CB80
                                                                                                                                                                                                        Function 73D78ED0 Relevance: 7.5, APIs: 5, Instructions: 28threadCOMMONLIBRARYCODE
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 73D78EEB
                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 73D78EF2
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 73D78EF9
                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(00000000), ref: 73D78F00
                                                                                                                                                                                                        • CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,00000000), ref: 73D78F0E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Current$Process$CreateDuplicateHandleSemaphoreThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 514173987-0
                                                                                                                                                                                                        • Opcode ID: 314374fe0e84199b377a1cb0203a1febe82422b10e55ae47325d1ab7d7907bfb
                                                                                                                                                                                                        • Instruction ID: fb97b15374331d743a76094815e7302870c0c621332bc4439ff81bfa52c9a434
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 314374fe0e84199b377a1cb0203a1febe82422b10e55ae47325d1ab7d7907bfb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04F0ED73785345BBEA206BB1CC0EFD5BBADBB54B02F204605B64EEA1D0CBB460948758
                                                                                                                                                                                                        Function 73D74300 Relevance: 6.1, APIs: 4, Instructions: 98networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 73D74330
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 73D74369
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F4), ref: 73D743A2
                                                                                                                                                                                                        • WSAStartup.WS2_32(00000101,2CD54620), ref: 73D7958D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Handle$Startup
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1193030618-0
                                                                                                                                                                                                        • Opcode ID: b655c7267461086861f544c1d77ee62957fc5281e7691a28661d180778cfd35f
                                                                                                                                                                                                        • Instruction ID: fdcd70cbea2f5342c52db68e53a66026af4e9d5fe3060f94fd6fd1c1810c5760
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b655c7267461086861f544c1d77ee62957fc5281e7691a28661d180778cfd35f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 643127B2D507209FE721AF75CC52B5977E5AF54750F200618E85E7B380EB3AA801CBE5
                                                                                                                                                                                                        Function 73D79460 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetFileInformationByHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,73D79421,?), ref: 73D79481
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,73D79421,?), ref: 73D7948B
                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 73D794FF
                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 73D7952A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorFileHandleInformationLast
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3051374878-0
                                                                                                                                                                                                        • Opcode ID: cdc011ea1320bb0d5585dc74921f7e96f6461a8dd50b8dd86676e103937d8dd2
                                                                                                                                                                                                        • Instruction ID: 831f1481d63930076712d80254d8b4fcb9fe7ad19f303a115d16d2d5c829fe6f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cdc011ea1320bb0d5585dc74921f7e96f6461a8dd50b8dd86676e103937d8dd2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 372117B29147009FD324DF29C851B4BBBF4AB58714F508A1DE89AD7390E734E948CBA2
                                                                                                                                                                                                        Function 73D78D60 Relevance: 6.0, APIs: 4, Instructions: 13networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 73D788F0: FreeSid.ADVAPI32(00F8D368,73D78D66,00000000,73D6C9B6), ref: 73D7891E
                                                                                                                                                                                                        • WSACleanup.WS2_32 ref: 73D78D6B
                                                                                                                                                                                                        • TlsFree.KERNELBASE(00000000,73D6C9B6), ref: 73D78D7C
                                                                                                                                                                                                        • TlsFree.KERNELBASE ref: 73D78D84
                                                                                                                                                                                                        • TlsFree.KERNEL32 ref: 73D78D8C
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free$Cleanup
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3327822341-0
                                                                                                                                                                                                        • Opcode ID: 1533c062cc318028dca42e8f3969cc8bf1a103b2266391506e20d6f780a89806
                                                                                                                                                                                                        • Instruction ID: d2f2fd79c4a3079913da96c9c35f1edc5b497139bd67ae9184beb64f580123e3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1533c062cc318028dca42e8f3969cc8bf1a103b2266391506e20d6f780a89806
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27C0E9335511685BDA627B62EC06AC97F25DF163617214052D90871120CB2928559AAD
                                                                                                                                                                                                        Function 73D67B00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: %s decr => %d$Unloaded library %s
                                                                                                                                                                                                        • API String ID: 0-2877805755
                                                                                                                                                                                                        • Opcode ID: 4cfde412981d8ba7bc7615fea38320cad9880cef47faafb3c7df85d1808774d3
                                                                                                                                                                                                        • Instruction ID: baa22ba4198b604c95da4973b283a3b0c0448b17ba6a366ca4f6e7d58e3e4aa3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cfde412981d8ba7bc7615fea38320cad9880cef47faafb3c7df85d1808774d3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C31F776A01201DBE712AF29EC00B593BF6EF40761B18452CE87FA32A1E721E844CA65
                                                                                                                                                                                                        Function 73D78E80 Relevance: 3.8, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 206 73d78e80-73d78e8d 207 73d78ea0-73d78ea8 206->207 208 73d78e8f-73d78e96 CloseHandle 206->208 209 73d78ebb-73d78eca TlsSetValue 207->209 210 73d78eaa-73d78eb1 CloseHandle 207->210 208->207 210->209
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CloseHandle.KERNELBASE(CCCC0000,00000000,73D6C963,00000000), ref: 73D78E90
                                                                                                                                                                                                        • CloseHandle.KERNEL32(CCCCCCCC,00000000,73D6C963,00000000), ref: 73D78EAB
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000,00000000,73D6C963,00000000), ref: 73D78EC3
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseHandle$Value
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2076415241-0
                                                                                                                                                                                                        • Opcode ID: 95f5ebcaeda6baeccbb0b3f8d3aaa449cbc84b78b343c4a9fbb7bdf7b8f28133
                                                                                                                                                                                                        • Instruction ID: 1ae4f63e278b5bfe862b5244e7a8e18ccf05717501dff3ebdb9b5aa8287f9a13
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95f5ebcaeda6baeccbb0b3f8d3aaa449cbc84b78b343c4a9fbb7bdf7b8f28133
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0E0B6726157019BDB20AF35D849BC77BE8BF18725F244808E8DAE3280CBB5B4858B59
                                                                                                                                                                                                        Function 73D797D0 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 211 73d797d0-73d797db 212 73d797e2-73d797e4 211->212 213 73d797dd 211->213 214 73d797e6 212->214 215 73d797eb-73d797ed 212->215 213->212 214->215 216 73d797f5-73d797fa 215->216 217 73d797ef 215->217 218 73d79807-73d79809 216->218 219 73d797fc-73d797fe 216->219 217->216 221 73d7981e-73d79828 218->221 222 73d7980b-73d7981c 218->222 219->218 220 73d79800-73d79805 219->220 223 73d7982f-73d79846 CreateFileA 220->223 221->223 222->223 224 73d7985a 223->224 225 73d79848-73d79857 GetLastError call 73d7bb90 223->225 225->224
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateFileA.KERNELBASE(00000000,00000000,00000003,00000000,0000000A,00000000,00000000,73D70387,73D73F9B,00000000,73D70387,00000000,?,00000000,?,73D70387), ref: 73D7983C
                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,73D70387,00000000,0000000A,000001B6), ref: 73D79848
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateErrorFileLast
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1214770103-0
                                                                                                                                                                                                        • Opcode ID: d4f96556b99e81859946e0d2d21226da19767693377fa750c19f14018184afca
                                                                                                                                                                                                        • Instruction ID: 5e082ec3408872ad857556b22cfb56ad6904d10dbf29636688387d0d02d8ff20
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4f96556b99e81859946e0d2d21226da19767693377fa750c19f14018184afca
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1201F43750020157FB010A74DD46BEB2B6BAF45BB8F140228FC47BA1E4E7788902C291
                                                                                                                                                                                                        Function 73D79B40 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 228 73d79b40-73d79b62 ReadFile 229 73d79b64-73d79b6d GetLastError 228->229 230 73d79b81-73d79b85 228->230 231 73d79b73-73d79b80 call 73d7bb90 229->231 232 73d79b6f-73d79b72 229->232
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,00000000,?,73D73951,?,?,?), ref: 73D79B5A
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D79B64
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorFileLastRead
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1948546556-0
                                                                                                                                                                                                        • Opcode ID: f10de2d72504bfb9fd9a7bc0194269d37ae9636c23a2f309300e2e77e9b45b9a
                                                                                                                                                                                                        • Instruction ID: 1774cd87bef74ef34f5ad108b177b2681252608b27f785d7235db4679a6bde10
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f10de2d72504bfb9fd9a7bc0194269d37ae9636c23a2f309300e2e77e9b45b9a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9E092B75092009FD702DF64DC48F8A7BEEAB98331F240958F15AC65E1D730D854AB52
                                                                                                                                                                                                        Function 73D79C30 Relevance: 3.0, APIs: 2, Instructions: 13fileCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 235 73d79c30-73d79c40 MoveFileA 236 73d79c45-73d79c57 GetLastError call 73d7bb90 235->236 237 73d79c42-73d79c44 235->237
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorFileLastMove
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 55378915-0
                                                                                                                                                                                                        • Opcode ID: c93c412b32a878cedb44cbaf3bfc7e8efa154b1e32cbfe573e316271b8e5a8fb
                                                                                                                                                                                                        • Instruction ID: 38ef8619260f6c9b005fb29f2289e0d15994eb34327f5fba70dbad08bf56f9c6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c93c412b32a878cedb44cbaf3bfc7e8efa154b1e32cbfe573e316271b8e5a8fb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0AD01277505201ABDF012B71CC0D74B3EA97F80361F540A24B91EC01F0FB79C0559611
                                                                                                                                                                                                        Function 73D79220 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 240 73d79220-73d7922c DeleteFileA 241 73d79231-73d79243 GetLastError call 73d7bb90 240->241 242 73d7922e-73d79230 240->242
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • DeleteFileA.KERNELBASE(?,73D73D79,?), ref: 73D79224
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D79231
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2018770650-0
                                                                                                                                                                                                        • Opcode ID: c7f796a41fa45ebaa116b4d340c5883cfb63f921a065d353aa5956476aba9fff
                                                                                                                                                                                                        • Instruction ID: 875f21bf15b53c691bfd50ec97e0814ec2d2232f038f73204df9c96916dec4e9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7f796a41fa45ebaa116b4d340c5883cfb63f921a065d353aa5956476aba9fff
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2CC08CB3A012009BDA003B72CC0D74F3A68BF40732FD40A34B82ED11D0FB78C014A611
                                                                                                                                                                                                        Function 73D79100 Relevance: 2.5, APIs: 2, Instructions: 17COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 245 73d79100-73d79117 CloseHandle 246 73d79119-73d79125 GetLastError call 73d7bb90 245->246 247 73d79128-73d7912b 245->247 246->247
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CloseHandle.KERNELBASE(73D73E3F,00000000,73D73E3F,?,73D6CB50,?), ref: 73D79105
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D79119
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 918212764-0
                                                                                                                                                                                                        • Opcode ID: d506a71338b2cadd565fbac312d3fd753378a54bfa1535a0b5ad109c8f2b16a9
                                                                                                                                                                                                        • Instruction ID: 980254e5979c90ead14106197e7ef0f73a21ec228f3c8e0cc23a29a3d29744fd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d506a71338b2cadd565fbac312d3fd753378a54bfa1535a0b5ad109c8f2b16a9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7AD0A973D0253083C92132B8FC0C6CA6A68AB007B9B010360ECAAE66D4D7304C4982D1
                                                                                                                                                                                                        Function 73DB14D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2086425690.0000000073DB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73DB0000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086396192.0000000073DB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086457689.0000000073DB3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73db0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3978063606-0
                                                                                                                                                                                                        • Opcode ID: 9cfca0a8a1d6bd7798e0321e29ed1bf62731abc7710ac4754838edd148d03aa3
                                                                                                                                                                                                        • Instruction ID: bb89c22f9a59981b33a315fa0b01a28cd7610b486c0b04159608af83f8530077
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cfca0a8a1d6bd7798e0321e29ed1bf62731abc7710ac4754838edd148d03aa3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FAE0E2726002118BC320DF2AE840A02F3F9BF88660725082EE8C6E3350E770E844CBA0
                                                                                                                                                                                                        Function 73D76640 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlDeleteCriticalSection.NTDLL(?), ref: 73D76649
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalDeleteSection
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 166494926-0
                                                                                                                                                                                                        • Opcode ID: ddf4eec00e3864509a593f1e799ed0f53c8aea347b600a7d76e30a69bcd80e7f
                                                                                                                                                                                                        • Instruction ID: 91b1ee6d875b26cdd74a84fb95fce7111b4f60ae7c43f8bfafdf974bd210b900
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ddf4eec00e3864509a593f1e799ed0f53c8aea347b600a7d76e30a69bcd80e7f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9C02B73C01221DBC9506B50F805CCB33AC5E05214B044811F445D3000D338F54FC7E2

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 73D78A80 Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                                                                                        • Opcode ID: e876df3dd82cc79999c8bdf89e11a76d93a78e8f2684a44b3a8da4a861a63091
                                                                                                                                                                                                        • Instruction ID: e700cbf8278f76323f05c7489f729507e0778c8ce30d9a34bad6fe7240b25b0a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e876df3dd82cc79999c8bdf89e11a76d93a78e8f2684a44b3a8da4a861a63091
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0741C373701201AFE7626A26DC4AFA737FCAF44BB0F180518F95BE62D1DB65E440C625
                                                                                                                                                                                                        Function 73D7C440 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                        • Opcode ID: 8150ca6145ffe09cf38b48a33212b7a798a23d2130a34698e49c3fc3a52e243e
                                                                                                                                                                                                        • Instruction ID: c745a7fd7bdea79c1de67ced3a189f60b225f1f5a56eaef611cfcc629d07944b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8150ca6145ffe09cf38b48a33212b7a798a23d2130a34698e49c3fc3a52e243e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33E1AFB16083418FE725CF24C8817AAB3F5FF84724F14492DE9CAA7290E778D945CB52
                                                                                                                                                                                                        Function 73D7AB40 Relevance: 9.2, APIs: 6, Instructions: 185networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • recvfrom.WS2_32(?,?,?,00000000,?,?), ref: 73D7AB97
                                                                                                                                                                                                        • WSAGetLastError.WS2_32 ref: 73D7ABB0
                                                                                                                                                                                                          • Part of subcall function 73D78D40: TlsGetValue.KERNEL32(73D76FA6,00000000,73D7D0CE), ref: 73D78D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D7AC79
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D7AD25
                                                                                                                                                                                                        • recvfrom.WS2_32(?,?,?,00000000,?,?), ref: 73D7AD74
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D7ADA1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastrecvfromselect$Value
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3722555639-0
                                                                                                                                                                                                        • Opcode ID: deba14c738a93d942851cf7a5bdbab79a487c36e984ae382e8e150b5b1968702
                                                                                                                                                                                                        • Instruction ID: cc6449bde4a51f512370446be7ecf3fa193b4c92239f13ff93fcb455a55b9d10
                                                                                                                                                                                                        • Opcode Fuzzy Hash: deba14c738a93d942851cf7a5bdbab79a487c36e984ae382e8e150b5b1968702
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6061C172508340AFE321DF28D844B5FB7E9AB88735F140A1DF99AA73C0E774D9048B52
                                                                                                                                                                                                        Function 73D6E4C0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 385networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: htons
                                                                                                                                                                                                        • String ID: gfff$gfff$gfff$gfff
                                                                                                                                                                                                        • API String ID: 4207154920-2178600047
                                                                                                                                                                                                        • Opcode ID: 092741e56556561c6d50a69f1b1554b286de9f509fcc6a5a121d65051665da42
                                                                                                                                                                                                        • Instruction ID: 33bd75faa973a6a4555e6567e4f9e318a084febc05d2cba5916561893ef7caba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 092741e56556561c6d50a69f1b1554b286de9f509fcc6a5a121d65051665da42
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12C16B51B042878BD315492D8A507567BE79BE99A0F1C473AE8D3DF3C1E71BCC4A83A1
                                                                                                                                                                                                        Function 73D77EC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36filewindowCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MapViewOfFile.KERNEL32(?,?,?,?,73D628BB,?,73D648A5,?,?,?,?,73D628BB,?,?,00000000,00040000), ref: 73D77ED7
                                                                                                                                                                                                        • GetLastError.KERNEL32(00000400,?,00000000,00000000), ref: 73D77EEF
                                                                                                                                                                                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 73D77EFC
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D77F1E
                                                                                                                                                                                                          • Part of subcall function 73D63EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D63FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$CriticalEnterFileFormatMessageSectionView
                                                                                                                                                                                                        • String ID: md_memmap(): %s
                                                                                                                                                                                                        • API String ID: 96374981-2634054837
                                                                                                                                                                                                        • Opcode ID: 3baf4c94daae4643743924bc690b18bed5aa05e6847842d678cac1dacb6fa745
                                                                                                                                                                                                        • Instruction ID: 75dd4451ecefb87183b5dead8725f1ec67d9f6823543ce5dfb0b3f0926571b82
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3baf4c94daae4643743924bc690b18bed5aa05e6847842d678cac1dacb6fa745
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8CF0AF77409200BFD312AF90DD08EAA7BA9FB48392F144404FA4992121D3218818CBB2
                                                                                                                                                                                                        Function 73D79860 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(?,?,?,00000000), ref: 73D7995C
                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 73D7996A
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorFileFindFirstLast
                                                                                                                                                                                                        • String ID: UUUU$\*.*
                                                                                                                                                                                                        • API String ID: 873889042-3193473139
                                                                                                                                                                                                        • Opcode ID: 28a7595f81481a0dbc2ce5bf72ca6c3ad2a16437a6a7ca0e8549e31c3e571394
                                                                                                                                                                                                        • Instruction ID: c2cd4fe58cf8616889326e5d3e97c198cc1c1d388928a4350d3017d17cc19e7f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28a7595f81481a0dbc2ce5bf72ca6c3ad2a16437a6a7ca0e8549e31c3e571394
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1412A734083418FDB21DF38D8807DA7BFAAF85324F584A69D8EE97281D7719149CB52
                                                                                                                                                                                                        Function 73D7A7F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetVersionExA.KERNEL32(00000000), ref: 73D7A823
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Version
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1889659487-0
                                                                                                                                                                                                        • Opcode ID: 0fb633d7691b7b2cf875e31536ecd282fb7903be427e60fd5bf17bb0733bfaa7
                                                                                                                                                                                                        • Instruction ID: 9cb05b091800fc791c4b765e9c1e991ae2f0a739a13cb40b01a4c08c5137b482
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fb633d7691b7b2cf875e31536ecd282fb7903be427e60fd5bf17bb0733bfaa7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75F06D72914301ABE324EF30C906BAA77F9BB48714FA0482CE59D97281E739A44DCB07
                                                                                                                                                                                                        Function 73D643D0 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 196COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(00000000), ref: 73D645FB
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DebugOutputString
                                                                                                                                                                                                        • String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$NSPR_LOG_MODULES$Unable to create nspr log file '%s'$all$append$bufsize$sync$timestamp
                                                                                                                                                                                                        • API String ID: 1166629820-4000297177
                                                                                                                                                                                                        • Opcode ID: bfd46d0bb69593b2764e1b0be36f55493a477d62e825acb3eb4afe167c74f879
                                                                                                                                                                                                        • Instruction ID: 783fd582e068ef8ffa28004da61c68466b7f12fe198580e57c280b1911c238c2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bfd46d0bb69593b2764e1b0be36f55493a477d62e825acb3eb4afe167c74f879
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1351E972909321DBC710DF74D84478B77F8AF847A8F044929ECA6B7241EB34E549CBA2
                                                                                                                                                                                                        Function 73D7B770 Relevance: 18.3, APIs: 12, Instructions: 277sleepnetworkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 73D78D40: TlsGetValue.KERNEL32(73D76FA6,00000000,73D7D0CE), ref: 73D78D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D7B881
                                                                                                                                                                                                        • Sleep.KERNEL32(00000000,00000000,00000000,?,00000000,00000005), ref: 73D7B8A3
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D7B8B2
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D7B8C1
                                                                                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001007,00000004,?), ref: 73D7B934
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D7BA1C
                                                                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 73D7BA3B
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D7BA46
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D7BA55
                                                                                                                                                                                                        • WSAGetLastError.WS2_32 ref: 73D7BAB2
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Sleepselect$ErrorLastValuegetsockopt
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2789319419-0
                                                                                                                                                                                                        • Opcode ID: d0cad868d558ff83c1914bfe0fe69bdaed43f7e04cec0171f8f536a40f87be50
                                                                                                                                                                                                        • Instruction ID: 00b49e9875c110ee1bf5d6b57e795cf2b7fa91ff717697328febdb788691309b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0cad868d558ff83c1914bfe0fe69bdaed43f7e04cec0171f8f536a40f87be50
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7391E6B25083059BE311DE54C884BAF77EDBBA8774F140A29FDE6F62C0E774D5088662
                                                                                                                                                                                                        Function 73D676C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 73D676F0
                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(?), ref: 73D67706
                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 73D6771F
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D67729
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 73D67764
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D67770
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D677E0
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D677F0
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$ByteCharModuleMultiWide$FileHandleName
                                                                                                                                                                                                        • String ID: error %d
                                                                                                                                                                                                        • API String ID: 782665465-2147592115
                                                                                                                                                                                                        • Opcode ID: c360a903b1301be2ffe386ccb4ed913d6c073f5c2091854e1690fc719e0fc742
                                                                                                                                                                                                        • Instruction ID: 2b2bbd5909b0efa535ae4b8337e8b36b484912de2d7453fffd8cc62fb6d1af07
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c360a903b1301be2ffe386ccb4ed913d6c073f5c2091854e1690fc719e0fc742
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9141B6B2704300ABE620EB74DC4AFEF779CAF84760F940519BA1AE71C0EB7494088676
                                                                                                                                                                                                        Function 73DC1FB0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_GetError.NSPR4 ref: 73DC1FB5
                                                                                                                                                                                                        • PR_GetOSError.NSPR4 ref: 73DC1FBD
                                                                                                                                                                                                        • PR_ErrorToName.NSPR4(00000000), ref: 73DC1FC6
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?,%s: ,?), ref: 73DC1FEC
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?, (%d)OUT OF RANGE, oserror = %d,00000000,00000000), ref: 73DC2001
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?,%s(%d), oserror = %d,00000000,00000000,00000000), ref: 73DC2013
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2086516473.0000000073DC1000.00000020.00000001.01000000.00000012.sdmp, Offset: 73DC0000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086487590.0000000073DC0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086552113.0000000073DC3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73dc0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorR_fprintf$Name
                                                                                                                                                                                                        • String ID: (%d)OUT OF RANGE, oserror = %d$%s(%d), oserror = %d$%s:
                                                                                                                                                                                                        • API String ID: 4154372385-1619349177
                                                                                                                                                                                                        • Opcode ID: 2e9e832aa59b0bd61e782b1de682915a35bf1ed17c4ac19b27b6464b6afda025
                                                                                                                                                                                                        • Instruction ID: a41cac4b92b864734704a49231ad3d0f16059a83bc63f2ad73f7810a10526f0f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e9e832aa59b0bd61e782b1de682915a35bf1ed17c4ac19b27b6464b6afda025
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66F042737113056FD7007B399C48D6FF75CEE801297110125FC4AA3201E757D51549B6
                                                                                                                                                                                                        Function 73D63EB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 292COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D63FD4
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00040000), ref: 73D640B2
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(0000000A), ref: 73D640FD
                                                                                                                                                                                                        • RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D64169
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(?,?,?,?,?,?,00000000,00000000,00040000,?), ref: 73D6419C
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00040000,?), ref: 73D641EC
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • %ld[%p]: , xrefs: 73D63F58
                                                                                                                                                                                                        • %04d-%02d-%02d %02d:%02d:%02d.%06d UTC - , xrefs: 73D63F1E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DebugOutputString$CriticalEnterSection
                                                                                                                                                                                                        • String ID: %04d-%02d-%02d %02d:%02d:%02d.%06d UTC - $%ld[%p]:
                                                                                                                                                                                                        • API String ID: 2660680679-2800039365
                                                                                                                                                                                                        • Opcode ID: d46db101ab17b1099389623ea8b4661aa77316049c942af003b17ae0e63fdfad
                                                                                                                                                                                                        • Instruction ID: 72832d71da7c02446cff5d27f6ad6f1dcdabd3e7f92ae625c731accd2cc86707
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d46db101ab17b1099389623ea8b4661aa77316049c942af003b17ae0e63fdfad
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83A11173519340DFD311FB69CC88BAA3BFDAB85710F240918F8AAA3281D775E944CB65
                                                                                                                                                                                                        Function 73D78190 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: D$NSPR_INHERIT_FDS=
                                                                                                                                                                                                        • API String ID: 0-1748084516
                                                                                                                                                                                                        • Opcode ID: 05d68744b566945c6d2fd4a67885f05089ae9310283e87177ceb27439089590f
                                                                                                                                                                                                        • Instruction ID: 5f1d9473c8d463d9bce83ae1ac6532d98f9323383cfdfe5eae1d60d87b434089
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05d68744b566945c6d2fd4a67885f05089ae9310283e87177ceb27439089590f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC91C571A043019FE710DF64D842B5BB7E8BF44725F140928FD9AE7291E774E908CBA6
                                                                                                                                                                                                        Function 73D77FE0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetVersionExA.KERNEL32(00000094), ref: 73D7801D
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D78027
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastVersion
                                                                                                                                                                                                        • String ID: %d.%d$Windows_95$Windows_98$Windows_NT$Windows_Unknown
                                                                                                                                                                                                        • API String ID: 305913169-3588704869
                                                                                                                                                                                                        • Opcode ID: b40d176a836509b4298e1430888a29caf9dffcfd74ec2694dc9262c6c523e7dd
                                                                                                                                                                                                        • Instruction ID: 02456cc2e3d304ded59f1d0c242c8ca6b52cf4b84147f120932fa1924e734a6e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b40d176a836509b4298e1430888a29caf9dffcfd74ec2694dc9262c6c523e7dd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36318632A04310AFE671E734DD03F9F73E9AF95720F944819E95EA2281EB39941C8B53
                                                                                                                                                                                                        Function 73D7CD08 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateFileMappingA.KERNEL32(000000FF,?,00000004,00000000), ref: 73D7CD7C
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000004,00000000), ref: 73D7CDB9
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000004,00000000), ref: 73D7CDCF
                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 73D7CE0B
                                                                                                                                                                                                          • Part of subcall function 73D63EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D63FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • PR_OpenSharedMemory: CreateFileMapping() success: %s, handle: %d, xrefs: 73D7CE4A
                                                                                                                                                                                                        • PR_OpenSharedMemory: Request exclusive & already exists, xrefs: 73D7CDE9
                                                                                                                                                                                                        • PR_OpenSharedMemory: CreateFileMapping() failed: %s, xrefs: 73D7CDAC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$CloseCreateCriticalEnterFileHandleMappingSection
                                                                                                                                                                                                        • String ID: PR_OpenSharedMemory: CreateFileMapping() failed: %s$PR_OpenSharedMemory: CreateFileMapping() success: %s, handle: %d$PR_OpenSharedMemory: Request exclusive & already exists
                                                                                                                                                                                                        • API String ID: 510033722-2926580257
                                                                                                                                                                                                        • Opcode ID: 45c944a1e3ef9097b6803f750ced3b940efcb747ece121c2d086ef227d3bdf43
                                                                                                                                                                                                        • Instruction ID: 0f1044c430fdc5418d6dd78b3e8679074c0e31f169782d25bd2cc9586966fccf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45c944a1e3ef9097b6803f750ced3b940efcb747ece121c2d086ef227d3bdf43
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A54103B6904340DFE3229F60DC06B8A7BA4FF41324F140929E8D6A7152E739A558CB63
                                                                                                                                                                                                        Function 73D68270 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002), ref: 73D7D037
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000), ref: 73D7D041
                                                                                                                                                                                                        • DuplicateHandle.KERNEL32(00000000), ref: 73D7D048
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D7D052
                                                                                                                                                                                                          • Part of subcall function 73D63EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D63FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _md_OpenAnonFileMap(): DuplicateHandle(): failed, xrefs: 73D7D071
                                                                                                                                                                                                        • _md_OpenAnonFileMap(): PR_CreateFileMap(): failed, xrefs: 73D7D01B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CurrentProcess$CriticalDuplicateEnterErrorHandleLastSection
                                                                                                                                                                                                        • String ID: _md_OpenAnonFileMap(): DuplicateHandle(): failed$_md_OpenAnonFileMap(): PR_CreateFileMap(): failed
                                                                                                                                                                                                        • API String ID: 472606604-3740453005
                                                                                                                                                                                                        • Opcode ID: bfb0990bae34183e638f3a0f5309a25b7744884a505c72c80b1030fa8fff81b6
                                                                                                                                                                                                        • Instruction ID: ea822f223a3d36f4fff34b666ed9cb791601bd12bcfbce2ee11dd1c8c6add6fa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bfb0990bae34183e638f3a0f5309a25b7744884a505c72c80b1030fa8fff81b6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44114C73201300AFD711ABA5EC08F8A77AAFF80311F144524F52AE2151E735E469C772
                                                                                                                                                                                                        Function 73D76E60 Relevance: 12.1, APIs: 8, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • TlsGetValue.KERNEL32(00000001,73D78D5A,00000000,00000001,00000000,00000000), ref: 73D76E6D
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000,00000000,00000000), ref: 73D76E86
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 73D76E90
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 73D76EB7
                                                                                                                                                                                                        • RtlDeleteCriticalSection.NTDLL(00000040), ref: 73D76F1C
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 73D76F39
                                                                                                                                                                                                        • TlsGetValue.KERNEL32 ref: 73D76F41
                                                                                                                                                                                                        • TlsGetValue.KERNEL32 ref: 73D76F77
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Value$CriticalDeleteSection
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1707600571-0
                                                                                                                                                                                                        • Opcode ID: c3391921bcae8f9d08f2833a7944d6f23ea013bb2c16bd392090920a43bb73c7
                                                                                                                                                                                                        • Instruction ID: 86bf1e10cceba4424bcd7bb98ce664aa25cccb5f964caff13adaa469ae6a426e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3391921bcae8f9d08f2833a7944d6f23ea013bb2c16bd392090920a43bb73c7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD3109B3510305DFE711AF65EC02F8ABBB9FF00354F140634E50AA11A0E732E819CB9A
                                                                                                                                                                                                        Function 73D7C260 Relevance: 10.6, APIs: 7, Instructions: 122COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateSemaphoreA.KERNEL32(00000000,?,7FFFFFFF,?), ref: 73D7C2E5
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,73D7588D,?,?,?,?), ref: 73D7C306
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateErrorLastSemaphore
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 778173943-0
                                                                                                                                                                                                        • Opcode ID: c339b6b7b102998a6a0eda7e13bb43073608f6ac2d4ce8c0dce19a179b1fa59a
                                                                                                                                                                                                        • Instruction ID: 713e8dda80f3d7a3a084b675f86b7103650f5ef30a664e4e86710549c8d85dfa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c339b6b7b102998a6a0eda7e13bb43073608f6ac2d4ce8c0dce19a179b1fa59a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1031E8B6904301AFE7017B699C05B9F77A8AFD0735F440939FCDAA2251F739C21886A7
                                                                                                                                                                                                        Function 73D64446 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(00000000), ref: 73D645FB
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • NSPR_LOG_FILE, xrefs: 73D645C1
                                                                                                                                                                                                        • , %n, xrefs: 73D64584
                                                                                                                                                                                                        • %63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n, xrefs: 73D64477
                                                                                                                                                                                                        • Unable to create nspr log file '%s', xrefs: 73D645E7
                                                                                                                                                                                                        • sync, xrefs: 73D6449A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DebugOutputString
                                                                                                                                                                                                        • String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$Unable to create nspr log file '%s'$sync
                                                                                                                                                                                                        • API String ID: 1166629820-561330267
                                                                                                                                                                                                        • Opcode ID: 24da86ca6c7683794d5305d4145e07721133466e28e94137cc70c416f311898c
                                                                                                                                                                                                        • Instruction ID: 591a3ba9e9d4613b52ed1bb45d38a4c24976edff5c0df54d1f05c733d0545fb9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 24da86ca6c7683794d5305d4145e07721133466e28e94137cc70c416f311898c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0821B6724052219BC710DB64DC44B9B77FCAF847A9F040519FCA6B7141E724E6098BE3
                                                                                                                                                                                                        Function 73DC2050 Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE89D,?), ref: 73DC205F
                                                                                                                                                                                                        • PR_Calloc.NSPR4(00000001,00000014), ref: 73DC2071
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE890,00000000), ref: 73DC2086
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2086516473.0000000073DC1000.00000020.00000001.01000000.00000012.sdmp, Offset: 73DC0000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086487590.0000000073DC0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086552113.0000000073DC3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73dc0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error$Calloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4207371845-0
                                                                                                                                                                                                        • Opcode ID: b848bb8833b612fff982417b7f3abf27a3ed153a189a8fbcc928d2e141acb184
                                                                                                                                                                                                        • Instruction ID: 39534466af1c4b0db7c3c326c46c5719ac9292ea8b44bea38cb99be133f6f411
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b848bb8833b612fff982417b7f3abf27a3ed153a189a8fbcc928d2e141acb184
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE2165B66107519FD720EF69D848707BBE4FB84726F20462DE59EC3240D375D028DBA6
                                                                                                                                                                                                        Function 73D7B540 Relevance: 10.6, APIs: 7, Instructions: 65networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • socket.WS2_32(?,?), ref: 73D7B558
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000000,73D630B2), ref: 73D7B564
                                                                                                                                                                                                        • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 73D7B584
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000000,73D630B2), ref: 73D7B58D
                                                                                                                                                                                                        • closesocket.WS2_32(00000000), ref: 73D7B5A1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$closesocketioctlsocketsocket
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3997934912-0
                                                                                                                                                                                                        • Opcode ID: f3316b896c0aec88a7b5b334a7e29836aa26075ec79150e4a430e33c1725ebfb
                                                                                                                                                                                                        • Instruction ID: dfa12d74a6697c881a3ad5d464f5ee361a57d4bb931d812e2451f8dd39757d29
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3316b896c0aec88a7b5b334a7e29836aa26075ec79150e4a430e33c1725ebfb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC110472408312BBE611EA24DC40FAF7AA99F41764F804938FD95B11E0E778864CC6A3
                                                                                                                                                                                                        Function 73D7B150 Relevance: 9.3, APIs: 6, Instructions: 260networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sendto.WS2_32(?,?,?,00000000,?,?), ref: 73D7B1A9
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,00000000,?,?), ref: 73D7B1B7
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,?), ref: 73D7B289
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,00000005), ref: 73D7B340
                                                                                                                                                                                                        • sendto.WS2_32(?,?,?,00000000,?,?), ref: 73D7B393
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,00000000,?,00000000,00000005,?,?), ref: 73D7B413
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastselectsendto
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 963654331-0
                                                                                                                                                                                                        • Opcode ID: dc3131416717c7f04e63e81748892a59f65f45e4008f207e9fb315040b6660c6
                                                                                                                                                                                                        • Instruction ID: ead7192ac376504c0fd29d724f7a93a936083d3194fcb2d49eba47cf66b49856
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc3131416717c7f04e63e81748892a59f65f45e4008f207e9fb315040b6660c6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE91E272A043009FD310DF28D895B5EB7E5EF98338F144A2DE86AA72D0D77495448BA2
                                                                                                                                                                                                        Function 73D7ADF0 Relevance: 9.3, APIs: 6, Instructions: 252networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • send.WS2_32(?,?,?,00000000), ref: 73D7AE3C
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 73D7AE50
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,?), ref: 73D7AF1C
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,00000005), ref: 73D7AFD0
                                                                                                                                                                                                        • send.WS2_32(?,?,?,00000000), ref: 73D7B01C
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,00000000,?,00000000,00000005), ref: 73D7B098
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastselectsend
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 948727196-0
                                                                                                                                                                                                        • Opcode ID: 2c5296130d333a0e16ffefcf8cd989801e2439b1799b0cbe36e21e5f21e41ada
                                                                                                                                                                                                        • Instruction ID: d191f65122eea0fd779d8be0d9f5972688990ccfdcfdb5f686c715bcbd571349
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c5296130d333a0e16ffefcf8cd989801e2439b1799b0cbe36e21e5f21e41ada
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A681F772A083005BE320DF28D89575FB7E5AF85774F140B2DFC6AA72C0D73499558BA2
                                                                                                                                                                                                        Function 73D7A890 Relevance: 9.2, APIs: 6, Instructions: 182networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • recv.WS2_32(?,?,?,?), ref: 73D7A8E3
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?), ref: 73D7A900
                                                                                                                                                                                                          • Part of subcall function 73D78D40: TlsGetValue.KERNEL32(73D76FA6,00000000,73D7D0CE), ref: 73D78D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D7A9C9
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D7AA75
                                                                                                                                                                                                        • recv.WS2_32(?,?,?,?), ref: 73D7AAC1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: recvselect$ErrorLastValue
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2434979398-0
                                                                                                                                                                                                        • Opcode ID: b6a0714bf60d0ff12dbac4d03f3cfc34c0af76af4464e4584818c4b67d7b88b6
                                                                                                                                                                                                        • Instruction ID: ff53b8dffe7ffa34df35f4158c27c764b02e260e6f5b02cc1517f7fae7d14cc6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6a0714bf60d0ff12dbac4d03f3cfc34c0af76af4464e4584818c4b67d7b88b6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A61D5725183819FE3219F24D94579FB3EABB84734F100A2DE8AAB73C0D738D9548752
                                                                                                                                                                                                        Function 73D7A380 Relevance: 9.2, APIs: 6, Instructions: 177networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • accept.WS2_32(?,?,?), ref: 73D7A3C1
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?), ref: 73D7A3E0
                                                                                                                                                                                                          • Part of subcall function 73D78D40: TlsGetValue.KERNEL32(73D76FA6,00000000,73D7D0CE), ref: 73D78D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D7A4A9
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D7A555
                                                                                                                                                                                                        • accept.WS2_32(?,?,?), ref: 73D7A598
                                                                                                                                                                                                          • Part of subcall function 73D6D100: __aulldiv.LIBCMT ref: 73D6D13C
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D7A5DE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastacceptselect$Value__aulldiv
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1760304501-0
                                                                                                                                                                                                        • Opcode ID: a7a8494dbce81223e7a1c21fc240e2ce869fdd9118dcdf5887fe8c9f7b69967e
                                                                                                                                                                                                        • Instruction ID: 83aca0e17fb00f976f2d985b1985ad4740df2da84a9f4b6d0667d59c5e1f8309
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7a8494dbce81223e7a1c21fc240e2ce869fdd9118dcdf5887fe8c9f7b69967e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 826191B29083419FE321DF64D84475EB7F9AB887B4F140A1DE99AB73C0D734D9448BA2
                                                                                                                                                                                                        Function 73DB1290 Relevance: 9.1, APIs: 6, Instructions: 122COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2086425690.0000000073DB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73DB0000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086396192.0000000073DB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086457689.0000000073DB3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73db0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unlock$CallLockMallocOncememcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2179638178-0
                                                                                                                                                                                                        • Opcode ID: 363143ece60e507658cff3c6749fdbd8ebc7fcafaed876a87177eb84dc9be483
                                                                                                                                                                                                        • Instruction ID: b47ebcd81291e65283fd914bf504fcc8a2f3929332e2a4395aa45c016306615e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 363143ece60e507658cff3c6749fdbd8ebc7fcafaed876a87177eb84dc9be483
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0241A472A00315CFC711CF19C88574A77F2BF88724728896CE89BA7745E735E816CBA4
                                                                                                                                                                                                        Function 73D67500 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: %s incr => %d (for %s)$error %d
                                                                                                                                                                                                        • API String ID: 0-2595713853
                                                                                                                                                                                                        • Opcode ID: 5a79373071d00745d93d620f59551f9b4022c822a8b4a58662b412e41559af0d
                                                                                                                                                                                                        • Instruction ID: 95db1cccdc07e855a5f1dc7e6cc49ea230e17f6e01e276b2f269784b9fc0e271
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a79373071d00745d93d620f59551f9b4022c822a8b4a58662b412e41559af0d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3415972600209DFD302DF29CC50B6677BAEF407A4B5805A8ECAAB7251E722F904C7A5
                                                                                                                                                                                                        Function 73D73C80 Relevance: 7.6, APIs: 5, Instructions: 73pipeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreatePipe.KERNEL32(0000000C,?,?,?), ref: 73D73CBF
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?), ref: 73D73CC9
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000), ref: 73D73D0A
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 73D73D10
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 73D73D43
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseHandle$CreateErrorLastPipe
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3219379475-0
                                                                                                                                                                                                        • Opcode ID: ee414e3e9b29b2d21c9a9093017f536c1c49f2f1739b2a25f51477db4ee0167d
                                                                                                                                                                                                        • Instruction ID: 165dacf2c301de4f56b3ebff53a52483f9f473a198ab5c09e657484794c8368e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee414e3e9b29b2d21c9a9093017f536c1c49f2f1739b2a25f51477db4ee0167d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD21C175414301EFD701AF28CC44B8B7FE8BF44334F548A69F899A32A1E776D5588BA2
                                                                                                                                                                                                        Function 73D9D4F0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • -----END CERTIFICATE-----, xrefs: 73D9D792
                                                                                                                                                                                                        • -----BEGIN CERTIFICATE-----, xrefs: 73D9D712
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2086199492.0000000073D91000.00000020.00000001.01000000.00000011.sdmp, Offset: 73D90000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086172199.0000000073D90000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086332184.0000000073DA3000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086367321.0000000073DA9000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d90000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: -----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----
                                                                                                                                                                                                        • API String ID: 0-2949388839
                                                                                                                                                                                                        • Opcode ID: 2a92a880869dc4c6d7a4cae2d4e36a7f85ee9c43e2cddeab1732962b83b3b912
                                                                                                                                                                                                        • Instruction ID: a38d4e14e8ea35936ed45272fac9327fc7e31f5dc8199a72909dd9d2f7373da4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a92a880869dc4c6d7a4cae2d4e36a7f85ee9c43e2cddeab1732962b83b3b912
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43919D639043501BF7026A2C5C6876AF7E9DBC1A31F5C066AECD7A62C2F32DC50587E6
                                                                                                                                                                                                        Function 73D67D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(73D813F8,?), ref: 73D67D94
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D67DA6
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D67DB6
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$AddressProc
                                                                                                                                                                                                        • String ID: error %d
                                                                                                                                                                                                        • API String ID: 1975335638-2147592115
                                                                                                                                                                                                        • Opcode ID: c2460db954a6d3c8406fd6618122cd0450d9dab8e9d404eb9f5288bb5fedcccb
                                                                                                                                                                                                        • Instruction ID: 688672eccf6628685c39183d7dd6738e16de1c56d16c5b306bcd5f3fbc94c23c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c2460db954a6d3c8406fd6618122cd0450d9dab8e9d404eb9f5288bb5fedcccb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE31F832704245DBD701DF38DC51BBA77EA9F846A4F980859ECAAE7252E711D80C8AB1
                                                                                                                                                                                                        Function 73D67C30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 73D67C6F
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                                                                        • String ID: Executable$Loaded library %s (init)$linker-lock
                                                                                                                                                                                                        • API String ID: 4139908857-3658172304
                                                                                                                                                                                                        • Opcode ID: 4834522e8f54d2468e9ffb406d92ea027f1e9ae2e4a80595d4ff7b8b56b52098
                                                                                                                                                                                                        • Instruction ID: a17ce2f4e657e86e06deec2a3f9b7b4f96372806083886ccb0ca5f8c0b1ffd9f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4834522e8f54d2468e9ffb406d92ea027f1e9ae2e4a80595d4ff7b8b56b52098
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 920162B29013009FE720AF21D805BA57FF4EB00304F144918E85DAA251E3756484CFA6
                                                                                                                                                                                                        Function 73D792D0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetFileAttributesExA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,73D79291,?), ref: 73D79300
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,73D79291,?), ref: 73D7930A
                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 73D7937E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AttributesErrorFileLastUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2626227794-0
                                                                                                                                                                                                        • Opcode ID: 6bafafe4ca2757133192879d83faf669191ced69744018e555c2126ef5b4f51f
                                                                                                                                                                                                        • Instruction ID: 1c0ee96f197524c20661cbca15ac21e3d6320c5cdf9486774ebda5851cd18b14
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6bafafe4ca2757133192879d83faf669191ced69744018e555c2126ef5b4f51f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26319EB2A147009FD324DF3AC851B4B77F5AF58714F404A1DE88AD72C0E734E9448BA2
                                                                                                                                                                                                        Function 73D6DFE1 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: htons
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4207154920-0
                                                                                                                                                                                                        • Opcode ID: e198049f2eb5483d883e9c244fdc3ef56722143e90a6dfec1135607c76e46493
                                                                                                                                                                                                        • Instruction ID: 9d25ebb8655f2e4ac4942576f1182467817612fc1ac51a8f590016957ec861c4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e198049f2eb5483d883e9c244fdc3ef56722143e90a6dfec1135607c76e46493
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8312776914B019FD360DF29E50074ABBF1FB88760F10892EE4AED3790E331A559CB99
                                                                                                                                                                                                        Function 73D79FC0 Relevance: 6.1, APIs: 4, Instructions: 85synchronizationCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 73D78D40: TlsGetValue.KERNEL32(73D76FA6,00000000,73D7D0CE), ref: 73D78D46
                                                                                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 73D7A036
                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 73D7A043
                                                                                                                                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 73D7A04C
                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 73D7A0DF
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalObjectSectionSingleWait$EnterLeaveValue
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2955843271-0
                                                                                                                                                                                                        • Opcode ID: c3fe7c1f74c2c05a85c42ca3177f4898afdc00179458eeaec989427adf07efe0
                                                                                                                                                                                                        • Instruction ID: 556535fbeaf5c6737d1b04e956e2eba93f007e12fd1d059257ba1e0b0b7b3b28
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c3fe7c1f74c2c05a85c42ca3177f4898afdc00179458eeaec989427adf07efe0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77318D72601201EFD7018F25C4C8BD1FBB9FB44365F18856AE859AB389D775A8A4CBA0
                                                                                                                                                                                                        Function 73D7B7C9 Relevance: 6.1, APIs: 4, Instructions: 83sleepCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D7B881
                                                                                                                                                                                                        • Sleep.KERNEL32(00000000,00000000,00000000,?,00000000,00000005), ref: 73D7B8A3
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D7B8B2
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D7B8C1
                                                                                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001007,00000004,?), ref: 73D7B934
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Sleepgetsockoptselect
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2100861750-0
                                                                                                                                                                                                        • Opcode ID: 006351d3c6ff2f36635a64a5282f765b3376db101e21e346d703c05acd9437d0
                                                                                                                                                                                                        • Instruction ID: 452779dc8ffe7fff4452256edbe5e23739f530dcef87e54604cba6d2c125483b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 006351d3c6ff2f36635a64a5282f765b3376db101e21e346d703c05acd9437d0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5421D3B25043058BE322DE14C94079BB2FEFFA8774F04092EE99BF7280E774D9558A52
                                                                                                                                                                                                        Function 73DB1000 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Free.NSPR4(?,?,?,?,73DB150D,?,?,00000000), ref: 73DB1025
                                                                                                                                                                                                        • PR_CallOnce.NSPR4(73DB4068,73DB10A0,?,?,?,73DB150D,?,?,00000000), ref: 73DB1051
                                                                                                                                                                                                        • PR_Lock.NSPR4 ref: 73DB1065
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 73DB1087
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2086425690.0000000073DB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73DB0000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086396192.0000000073DB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086457689.0000000073DB3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73db0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CallFreeLockOnceUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 684047005-0
                                                                                                                                                                                                        • Opcode ID: 1f4e19077e3e3bbf24be10d7c59938b5c5edd0be627edc53ca3549f3727072d6
                                                                                                                                                                                                        • Instruction ID: ac940a0d5eea31a47de8862bddf58dec72ef418f92d1575746d81197bbe99b26
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f4e19077e3e3bbf24be10d7c59938b5c5edd0be627edc53ca3549f3727072d6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83115E73500220CFD711DF1AE885709B7F5FF84631F28056AE49AA7250E375A438CB96
                                                                                                                                                                                                        Function 73D6CF80 Relevance: 6.0, APIs: 4, Instructions: 32synchronizationCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 73D78559
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D78564
                                                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 73D78588
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 73D78594
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2321548817-0
                                                                                                                                                                                                        • Opcode ID: 80ad567941a9116f1cc1af8affe6c36f75ae448ecb4afe4b2524d870be8cc3b7
                                                                                                                                                                                                        • Instruction ID: b5b27999a0a65d9bb1abf110e7f397cf2b59ac151c6236a038c5bb5501fdf174
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80ad567941a9116f1cc1af8affe6c36f75ae448ecb4afe4b2524d870be8cc3b7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98F0A737909110EBE6113F75EC0979937A8FF007B1B244714F8BBE11E4DB218944C765
                                                                                                                                                                                                        Function 73D681E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,?), ref: 73D7CAB1
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D7CABD
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _MD_AttachSharedMemory: MapViewOfFile() failed. OSerror: %d, xrefs: 73D7CADE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorFileLastView
                                                                                                                                                                                                        • String ID: _MD_AttachSharedMemory: MapViewOfFile() failed. OSerror: %d
                                                                                                                                                                                                        • API String ID: 311336725-2908509698
                                                                                                                                                                                                        • Opcode ID: c300d008fc5c7857994624b031d8e750c0adae2d1cf033aceff8a5eb05ca6184
                                                                                                                                                                                                        • Instruction ID: bfd06b6c64c9f7daf8661c7e9f064d89cd6c906a23062d8ecc0eaff994b600cc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c300d008fc5c7857994624b031d8e750c0adae2d1cf033aceff8a5eb05ca6184
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6F0E272601340AFE3229760DC0AB4A3A55AB40365F158058FF8AAB2A2D725AC0087A5
                                                                                                                                                                                                        Function 73D795C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LockFile.KERNEL32(?,00000000,00000000,00000000,000000FF,73D73F10,?), ref: 73D795CC
                                                                                                                                                                                                        • GetLastError.KERNEL32(?), ref: 73D795D7
                                                                                                                                                                                                          • Part of subcall function 73D63EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D63FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _PR_MD_LOCKFILE() failed. Error: %d, xrefs: 73D795F4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalEnterErrorFileLastLockSection
                                                                                                                                                                                                        • String ID: _PR_MD_LOCKFILE() failed. Error: %d
                                                                                                                                                                                                        • API String ID: 1358300211-3062140089
                                                                                                                                                                                                        • Opcode ID: 947b7c3a1421329c64d6ec7e6c88761236b6c47ea1f3d7cf9d0c57c922e5d06b
                                                                                                                                                                                                        • Instruction ID: 550de9bff7f8e2d04278b2b1d5df74b8c744f4de2132994d6522f4b758395252
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 947b7c3a1421329c64d6ec7e6c88761236b6c47ea1f3d7cf9d0c57c922e5d06b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDE020336052105BD7311F395C4AF8A37955F01731F340310F82DF52D1E724981885AF
                                                                                                                                                                                                        Function 73D68220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • UnmapViewOfFile.KERNEL32(?), ref: 73D7CB74
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D7CB7E
                                                                                                                                                                                                          • Part of subcall function 73D63EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D63FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _MD_DetachSharedMemory: UnmapViewOfFile() failed. OSerror: %d, xrefs: 73D7CB9E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalEnterErrorFileLastSectionUnmapView
                                                                                                                                                                                                        • String ID: _MD_DetachSharedMemory: UnmapViewOfFile() failed. OSerror: %d
                                                                                                                                                                                                        • API String ID: 2920721728-1850521274
                                                                                                                                                                                                        • Opcode ID: f75ce1505b75c8f24223fc38c848e85fc7db86ac05e220679fa29e05490799d0
                                                                                                                                                                                                        • Instruction ID: c77e8f07bb7963d95058676696b15f258a2c7610e4091ac31c2cb40634e1505d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f75ce1505b75c8f24223fc38c848e85fc7db86ac05e220679fa29e05490799d0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3FE0CD725011409FD7122B75CC0DB4E37986F003757144610FCBEE3162F734E4548636
                                                                                                                                                                                                        Function 73D79ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(Function_00019ED0), ref: 73D79ED5
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 73D79EE1
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • InitializeCriticalSectionEx, xrefs: 73D79EDB
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000023.00000002.2085907786.0000000073D61000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000023.00000002.2085880370.0000000073D60000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D7F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086085707.0000000073D82000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000023.00000002.2086137156.0000000073D87000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_35_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                        • String ID: InitializeCriticalSectionEx
                                                                                                                                                                                                        • API String ID: 1646373207-3084827643
                                                                                                                                                                                                        • Opcode ID: 4f1991ccbb8e776dababc8fd5091a7bf11a8ece7f80b0bd0875edb1e037084fb
                                                                                                                                                                                                        • Instruction ID: c88a80ca1e288d254675d2916971a0594df0bae07146cfdf261d7516082122e1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f1991ccbb8e776dababc8fd5091a7bf11a8ece7f80b0bd0875edb1e037084fb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32B092B7902104AFCB643BB2CC8CBE83A68A684302B304251FE59E5109EB34A14C8F1A

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:0.8%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                        Total number of Nodes:250
                                                                                                                                                                                                        Total number of Limit Nodes:11
                                                                                                                                                                                                        execution_graph 26330 73d61600 PR_Malloc 26331 73d87e10 26332 73d87e5b 26331->26332 26361 73d95d90 26332->26361 26335 73d87e7a MultiByteToWideChar 26338 73d87eaf MultiByteToWideChar 26335->26338 26344 73d87e96 26335->26344 26336 73d87e76 26337 73d87ec2 WideCharToMultiByte 26336->26337 26340 73d87ee8 26337->26340 26338->26337 26339 73d87eff GetLastError 26338->26339 26341 73d87f07 26339->26341 26340->26339 26342 73d87f9a WideCharToMultiByte 26340->26342 26374 73d8c2d0 23 API calls ___DllMainCRTStartup 26341->26374 26342->26339 26345 73d87fb8 26342->26345 26344->26338 26344->26339 26370 73d88070 26345->26370 26346 73d87f12 26375 73d84f60 WideCharToMultiByte WideCharToMultiByte IsProcessorFeaturePresent IsDebuggerPresent 26346->26375 26349 73d87fc1 26349->26339 26350 73d87fe4 LoadLibraryExW 26349->26350 26351 73d87f48 26349->26351 26354 73d88000 GetLastError 26350->26354 26355 73d88016 26350->26355 26377 73d95df0 23 API calls ___DllMainCRTStartup 26351->26377 26353 73d87f24 26353->26351 26376 73d8c2f0 23 API calls ___DllMainCRTStartup 26353->26376 26354->26341 26355->26351 26379 73d83eb0 36 API calls ___DllMainCRTStartup 26355->26379 26356 73d87f78 26378 73d9d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26356->26378 26359 73d87f8f 26380 73d98d40 TlsGetValue 26361->26380 26365 73d95da7 26369 73d95dd6 26365->26369 26393 73d964f0 27 API calls ___DllMainCRTStartup 26365->26393 26367 73d87e6b 26367->26335 26367->26336 26387 73d96710 26369->26387 26371 73d88089 26370->26371 26372 73d880c5 26371->26372 26396 73d83eb0 36 API calls ___DllMainCRTStartup 26371->26396 26372->26349 26374->26346 26375->26353 26376->26351 26377->26356 26378->26359 26379->26351 26381 73d95d98 26380->26381 26382 73d98d50 26380->26382 26384 73d96660 26381->26384 26394 73d96e60 23 API calls ___DllMainCRTStartup 26382->26394 26385 73d98d40 ___DllMainCRTStartup 22 API calls 26384->26385 26386 73d96667 RtlEnterCriticalSection 26385->26386 26386->26365 26388 73d98d40 ___DllMainCRTStartup 23 API calls 26387->26388 26389 73d96715 26388->26389 26390 73d9671e 26389->26390 26395 73d99fa0 5 API calls ___DllMainCRTStartup 26389->26395 26390->26367 26392 73d96732 26392->26367 26393->26365 26394->26381 26395->26392 26396->26372 26397 73d8cc00 26402 73d8cf90 26397->26402 26401 73d8cc1c 26403 73d8cc06 26402->26403 26404 73d8cf9d 26402->26404 26461 73d8c850 26403->26461 26513 73d88190 26404->26513 26408 73d8cfb6 26517 73d84270 23 API calls 26408->26517 26410 73d8cfc5 26518 73d84270 23 API calls 26410->26518 26412 73d8cfd4 26519 73d84270 23 API calls 26412->26519 26414 73d8cfe3 26520 73d84270 23 API calls 26414->26520 26416 73d8cff2 26521 73d84270 23 API calls 26416->26521 26418 73d8d001 26522 73d84270 23 API calls 26418->26522 26420 73d8d010 26523 73d84270 23 API calls 26420->26523 26422 73d8d01f 26524 73d84270 23 API calls 26422->26524 26424 73d8d02e 26525 73d84270 23 API calls 26424->26525 26426 73d8d03d 26526 73d84270 23 API calls 26426->26526 26428 73d8d04c 26527 73d98e50 TlsAlloc TlsAlloc TlsAlloc 26428->26527 26430 73d8d056 26528 73d96870 23 API calls 26430->26528 26432 73d8d06a 26529 73d8c250 23 API calls 26432->26529 26434 73d8d074 26530 73d83d40 23 API calls 26434->26530 26436 73d8d079 26531 73d96680 26436->26531 26438 73d8d083 26535 73d97820 37 API calls ___DllMainCRTStartup 26438->26535 26440 73d8d093 26536 73d870b0 38 API calls 26440->26536 26442 73d8d098 26537 73d94300 26442->26537 26446 73d8d0a2 26567 73d93770 23 API calls 26446->26567 26448 73d8d0a7 26568 73d843d0 28 API calls ___DllMainCRTStartup 26448->26568 26450 73d8d0ac 26569 73d87c30 43 API calls 26450->26569 26452 73d8d0b1 26453 73d96680 23 API calls 26452->26453 26454 73d8d0b6 26453->26454 26570 73d96410 26454->26570 26456 73d8d0c1 26581 73d8a390 23 API calls 26456->26581 26458 73d8d0ce 26582 73d82130 23 API calls 26458->26582 26460 73d8d0d3 26460->26403 26628 73d95990 23 API calls ___DllMainCRTStartup 26461->26628 26463 73d8c9c4 26463->26401 26464 73d8c856 26464->26463 26465 73d8c883 26464->26465 26638 73d83eb0 36 API calls ___DllMainCRTStartup 26464->26638 26467 73d96660 ___DllMainCRTStartup 23 API calls 26465->26467 26470 73d8c89b 26467->26470 26468 73d8c8cd 26471 73d96710 ___DllMainCRTStartup 23 API calls 26468->26471 26470->26468 26639 73d964f0 27 API calls ___DllMainCRTStartup 26470->26639 26472 73d8c8ef 26471->26472 26629 73d820e0 25 API calls 26472->26629 26474 73d8c8f4 26630 73d93750 RtlDeleteCriticalSection 26474->26630 26476 73d8c8f9 26631 73d8a360 RtlDeleteCriticalSection 26476->26631 26478 73d8c8fe 26632 73d96640 RtlDeleteCriticalSection 26478->26632 26480 73d8c909 26634 73d963e0 RtlDeleteCriticalSection 26480->26634 26482 73d8c91e 26635 73d87cc0 RtlDeleteCriticalSection RtlDeleteCriticalSection 26482->26635 26484 73d8c92d 26636 73d8e8f0 RtlDeleteCriticalSection 26484->26636 26486 73d8c932 26637 73d94280 25 API calls 26486->26637 26488 73d8c955 26491 73d84640 8 API calls 26488->26491 26489 73d8c937 ___DllMainCRTStartup 26489->26488 26490 73d83eb0 36 API calls 26489->26490 26490->26488 26492 73d8c95d 26491->26492 26493 73d98e80 CloseHandle CloseHandle TlsSetValue 26492->26493 26494 73d8c963 26493->26494 26495 73d97b00 RtlDeleteCriticalSection RtlDeleteCriticalSection 26494->26495 26496 73d8c969 26495->26496 26497 73d971a0 RtlDeleteCriticalSection RtlDeleteCriticalSection 26496->26497 26498 73d8c96e 26497->26498 26499 73d86ff0 RtlDeleteCriticalSection RtlDeleteCriticalSection RtlDeleteCriticalSection 26498->26499 26500 73d8c973 26499->26500 26501 73d96640 RtlDeleteCriticalSection 26500->26501 26502 73d8c97e 26501->26502 26503 73d83cb0 RtlDeleteCriticalSection 26502->26503 26504 73d8c990 26503->26504 26505 73d8c230 RtlDeleteCriticalSection 26504->26505 26506 73d8c995 26505->26506 26507 73d967f0 RtlDeleteCriticalSection 26506->26507 26508 73d8c99a 26507->26508 26509 73d8c9ae 26508->26509 26510 73d96640 RtlDeleteCriticalSection 26508->26510 26511 73d98d60 FreeSid WSACleanup TlsFree TlsFree TlsFree 26509->26511 26510->26509 26512 73d8c9b6 26511->26512 26512->26401 26514 73d8819c GetSystemInfo 26513->26514 26515 73d881b6 26513->26515 26514->26515 26516 73d84270 23 API calls 26515->26516 26516->26408 26517->26410 26518->26412 26519->26414 26520->26416 26521->26418 26522->26420 26523->26422 26524->26424 26525->26426 26526->26428 26527->26430 26528->26432 26529->26434 26530->26436 26532 73d96689 26531->26532 26534 73d966ad 26532->26534 26583 73d99f00 23 API calls ___DllMainCRTStartup 26532->26583 26534->26438 26535->26440 26536->26442 26538 73d94309 26537->26538 26584 73d811b0 26538->26584 26541 73d96680 23 API calls 26542 73d94315 26541->26542 26543 73d96410 23 API calls 26542->26543 26544 73d94320 GetStdHandle 26543->26544 26591 73d810d0 26544->26591 26546 73d94339 26547 73d9433f GetStdHandle 26546->26547 26611 73d8c2d0 23 API calls ___DllMainCRTStartup 26546->26611 26550 73d810d0 23 API calls 26547->26550 26551 73d94372 26550->26551 26552 73d94378 GetStdHandle 26551->26552 26612 73d8c2d0 23 API calls ___DllMainCRTStartup 26551->26612 26555 73d810d0 23 API calls 26552->26555 26556 73d943ab 26555->26556 26558 73d943b1 26556->26558 26613 73d8c2d0 23 API calls ___DllMainCRTStartup 26556->26613 26559 73d99570 WSAStartup 26558->26559 26596 73d98930 GetCurrentProcess OpenProcessToken 26559->26596 26561 73d99597 26614 73d9a7f0 GetVersionExA IsProcessorFeaturePresent IsDebuggerPresent ___DllMainCRTStartup 26561->26614 26563 73d9959c 26615 73d9d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26563->26615 26565 73d8d09d 26566 73d8e910 23 API calls 26565->26566 26566->26446 26567->26448 26568->26450 26569->26452 26571 73d9641d 26570->26571 26572 73d96474 26571->26572 26573 73d96426 26571->26573 26627 73d8c2d0 23 API calls ___DllMainCRTStartup 26572->26627 26578 73d9643f 26573->26578 26625 73d99f00 23 API calls ___DllMainCRTStartup 26573->26625 26575 73d96480 26575->26456 26580 73d96462 26578->26580 26626 73d8c2d0 23 API calls ___DllMainCRTStartup 26578->26626 26579 73d96452 26579->26456 26580->26456 26581->26458 26582->26460 26583->26534 26616 73d8c180 26584->26616 26587 73d8c180 23 API calls 26588 73d811c8 26587->26588 26589 73d96680 23 API calls 26588->26589 26590 73d81247 26589->26590 26590->26541 26592 73d8113c 26591->26592 26593 73d810de 26591->26593 26592->26546 26593->26592 26594 73d96660 ___DllMainCRTStartup 23 API calls 26593->26594 26595 73d96710 ___DllMainCRTStartup 23 API calls 26593->26595 26594->26593 26595->26593 26597 73d989ab GetTokenInformation GetLengthSid 26596->26597 26598 73d98973 26596->26598 26599 73d88120 26597->26599 26600 73d98a61 26598->26600 26601 73d98982 GetLastError 26598->26601 26602 73d989d9 CopySid GetTokenInformation GetLengthSid 26599->26602 26624 73d9d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26600->26624 26622 73d83eb0 36 API calls ___DllMainCRTStartup 26601->26622 26605 73d88120 26602->26605 26608 73d98a1e CopySid CloseHandle AllocateAndInitializeSid 26605->26608 26606 73d98a6f 26606->26561 26607 73d98993 26623 73d9d18a IsProcessorFeaturePresent IsDebuggerPresent ___raise_securityfailure 26607->26623 26608->26600 26610 73d989a4 26610->26561 26611->26547 26612->26552 26613->26558 26614->26563 26615->26565 26617 73d8c189 26616->26617 26618 73d96660 ___DllMainCRTStartup 23 API calls 26617->26618 26619 73d8c19d 26617->26619 26618->26619 26620 73d811bc 26619->26620 26621 73d96710 ___DllMainCRTStartup 23 API calls 26619->26621 26620->26587 26621->26620 26622->26607 26623->26610 26624->26606 26625->26578 26626->26579 26627->26575 26628->26464 26629->26474 26630->26476 26631->26478 26633 73d96655 26632->26633 26633->26480 26634->26482 26635->26484 26636->26486 26638->26465 26639->26470 26640 73d98ed0 26641 73d98ede GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 26640->26641 26642 73d98f06 CreateSemaphoreA 26640->26642 26641->26642 26643 73d95ed0 26644 73d95ed9 26643->26644 26645 73d95ef4 26644->26645 26646 73d95f06 26644->26646 26660 73d8c2d0 23 API calls ___DllMainCRTStartup 26645->26660 26661 73d96750 23 API calls ___DllMainCRTStartup 26646->26661 26649 73d95eff 26650 73d95f11 26651 73d95f55 26650->26651 26662 73d96540 23 API calls ___DllMainCRTStartup 26650->26662 26653 73d95f2b 26654 73d95f4c 26653->26654 26663 73d96540 23 API calls ___DllMainCRTStartup 26653->26663 26665 73d96740 RtlDeleteCriticalSection 26654->26665 26657 73d95f3f 26658 73d95f67 26657->26658 26664 73d96520 RtlDeleteCriticalSection 26657->26664 26660->26649 26661->26650 26662->26653 26663->26657 26664->26654 26665->26651

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 73D98930 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 86memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,?), ref: 73D98962
                                                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 73D98969
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D98982
                                                                                                                                                                                                          • Part of subcall function 73D83EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D83FD4
                                                                                                                                                                                                        • GetTokenInformation.KERNELBASE(?,00000004,?,00000400,00000000), ref: 73D989BF
                                                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 73D989C9
                                                                                                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 73D989EA
                                                                                                                                                                                                        • GetTokenInformation.KERNELBASE(?,00000005(TokenIntegrityLevel),?,00000400,00000000), ref: 73D98A04
                                                                                                                                                                                                        • GetLengthSid.ADVAPI32(?), ref: 73D98A0E
                                                                                                                                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 73D98A2F
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 73D98A39
                                                                                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,73DA82B4), ref: 73D98A5B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _PR_NT_InitSids: OpenProcessToken() failed. Error: %d, xrefs: 73D98989
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Token$CopyInformationLengthProcess$AllocateCloseCriticalCurrentEnterErrorHandleInitializeLastOpenSection
                                                                                                                                                                                                        • String ID: _PR_NT_InitSids: OpenProcessToken() failed. Error: %d
                                                                                                                                                                                                        • API String ID: 2490781191-1216436346
                                                                                                                                                                                                        • Opcode ID: 33dc20d306156dfc626b7370d962d370b9d0a1dcffa0b82c51d6c6e1ebad72c6
                                                                                                                                                                                                        • Instruction ID: b89a7722d121853284eef67d1177d7886de791cd5cfd2149ca6acc8a8019ecde
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33dc20d306156dfc626b7370d962d370b9d0a1dcffa0b82c51d6c6e1ebad72c6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0314DB3505300AFE710EF61CD09BAA7BEDFB84705F104828F68DA6190D7349958CB6B
                                                                                                                                                                                                        Function 73D87E10 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 73D87E85
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 73D87EB8
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 73D87ED4
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D87EFF
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 73D87FAA
                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,?), ref: 73D87FF4
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D88000
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharMultiWide$ErrorLast$LibraryLoad
                                                                                                                                                                                                        • String ID: Loaded library %s (load lib)$error %d
                                                                                                                                                                                                        • API String ID: 2288181798-2368894446
                                                                                                                                                                                                        • Opcode ID: 7e3d766e7c7e8849e00e6de103ac0cd730c3b27d5fc562a76e00223a089430de
                                                                                                                                                                                                        • Instruction ID: 6fbdea29be89ed1530d807514562fac406ceb6c8e28492b9b4374a6b0a703cf2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e3d766e7c7e8849e00e6de103ac0cd730c3b27d5fc562a76e00223a089430de
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F051E9726053016BE311AF65DC05F9B7AE8EF40B21F240528F95AB72C0EB75F948C7A6
                                                                                                                                                                                                        Function 73D98ED0 Relevance: 7.5, APIs: 5, Instructions: 28threadCOMMONLIBRARYCODE
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 73D98EEB
                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 73D98EF2
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 73D98EF9
                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(00000000), ref: 73D98F00
                                                                                                                                                                                                        • CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,00000000), ref: 73D98F0E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Current$Process$CreateDuplicateHandleSemaphoreThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 514173987-0
                                                                                                                                                                                                        • Opcode ID: 7cfd9218e95053099d0ed2ba2055fd90e532e5d8d72034793e75d47fc735ff84
                                                                                                                                                                                                        • Instruction ID: e2daf2e8e3fc9dad0d2433f61177fd49cd46e8b60e964e3c3a09ee0662e8853e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7cfd9218e95053099d0ed2ba2055fd90e532e5d8d72034793e75d47fc735ff84
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51F0C973685745BAEA106BB1CC0EFD5BAADFB54B03F214605B64EFA0D0CBB460A48758
                                                                                                                                                                                                        Function 73D94300 Relevance: 6.1, APIs: 4, Instructions: 98networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 73D94330
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 73D94369
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F4), ref: 73D943A2
                                                                                                                                                                                                        • WSAStartup.WS2_32(00000101,5AE72AB2), ref: 73D9958D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Handle$Startup
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1193030618-0
                                                                                                                                                                                                        • Opcode ID: 888145405ea9653c5a0b6044b0235381d08fef99979cf7c7de36f58e1ae96d30
                                                                                                                                                                                                        • Instruction ID: 6fd692536913c1220258a5bda6a4bb34e9dfad188bafb6dfd322acaa6390f5af
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 888145405ea9653c5a0b6044b0235381d08fef99979cf7c7de36f58e1ae96d30
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5831E372D403109BF720AF758D54B5A7BE5EB54B20F240618E8497B381EB39A801CBE9
                                                                                                                                                                                                        Function 73D98D60 Relevance: 6.0, APIs: 4, Instructions: 13networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 73D988F0: FreeSid.ADVAPI32(00D7B560,73D98D66,00000000,73D8C9B6), ref: 73D9891E
                                                                                                                                                                                                        • WSACleanup.WS2_32 ref: 73D98D6B
                                                                                                                                                                                                        • TlsFree.KERNELBASE(00000000,73D8C9B6), ref: 73D98D7C
                                                                                                                                                                                                        • TlsFree.KERNELBASE ref: 73D98D84
                                                                                                                                                                                                        • TlsFree.KERNEL32 ref: 73D98D8C
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Free$Cleanup
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3327822341-0
                                                                                                                                                                                                        • Opcode ID: 180b8774acae0d18ba0abda4f10218d96ad27d2c5e3859d3a5ec8266ec60f1d4
                                                                                                                                                                                                        • Instruction ID: 8a1f8906307bc90b061fccb3c53ba4b6b2f2be22fa119d6de81efaf8d8b67f73
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 180b8774acae0d18ba0abda4f10218d96ad27d2c5e3859d3a5ec8266ec60f1d4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AC012334011685BFB123B72ED05B8D3F31EF021613288052D80871020CB390C559EFD
                                                                                                                                                                                                        Function 73D98E80 Relevance: 3.8, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 125 73d98e80-73d98e8d 126 73d98e8f-73d98e96 CloseHandle 125->126 127 73d98ea0-73d98ea8 125->127 126->127 128 73d98ebb-73d98eca TlsSetValue 127->128 129 73d98eaa-73d98eb1 CloseHandle 127->129 129->128
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CloseHandle.KERNELBASE(CCCC0000,00000000,73D8C963,00000000), ref: 73D98E90
                                                                                                                                                                                                        • CloseHandle.KERNEL32(CCCCCCCC,00000000,73D8C963,00000000), ref: 73D98EAB
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000,00000000,73D8C963,00000000), ref: 73D98EC3
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseHandle$Value
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2076415241-0
                                                                                                                                                                                                        • Opcode ID: 4c07cc4d69c4227ddf1461f365c90b452959f115d92e68e530d777aeac2a0b6b
                                                                                                                                                                                                        • Instruction ID: 874702f0f1e744ab0e30605d3d5365bdf2169fc8150abfc5fb2fc93f3f0b46df
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c07cc4d69c4227ddf1461f365c90b452959f115d92e68e530d777aeac2a0b6b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4FE0BFB66057019FE7106F25D858BC77BF8FB14B15F244818E8DAF3290C7B5A8858B98
                                                                                                                                                                                                        Function 73D88190 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 130 73d88190-73d8819a 131 73d8819c-73d881b4 GetSystemInfo 130->131 132 73d881d7-73d881da 130->132 133 73d881c6-73d881d5 131->133 134 73d881b6-73d881c5 131->134 133->132
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetSystemInfo.KERNELBASE(?), ref: 73D881A1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InfoSystem
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 31276548-0
                                                                                                                                                                                                        • Opcode ID: 9067bab37dc06e5ff142149c9e47c7653076adca20dc77b960405f8cebd4f016
                                                                                                                                                                                                        • Instruction ID: b39450842fff2536bd45f9b9540add7a3502ab01af38bd3fe7a41e446cb1b477
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9067bab37dc06e5ff142149c9e47c7653076adca20dc77b960405f8cebd4f016
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1E0ED779112048FE304EF2ACA857567BF8B748621F98052DD94DD2240E735D8498B45
                                                                                                                                                                                                        Function 73D96640 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 135 73d96640-73d96650 RtlDeleteCriticalSection call 73d88110 137 73d96655-73d96659 135->137
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlDeleteCriticalSection.NTDLL(?), ref: 73D96649
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalDeleteSection
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 166494926-0
                                                                                                                                                                                                        • Opcode ID: 6975788be8682486555a5ac65c2373f83cf5def12b61074cccc1e63a697e010f
                                                                                                                                                                                                        • Instruction ID: 8ac00fca9af7e42cbc58f8377763956b6a525f275f05acd8ef23db389f2958bb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6975788be8682486555a5ac65c2373f83cf5def12b61074cccc1e63a697e010f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3EC02B73C012219BC9406B50F805CCB33ACAE051157044811F005F3000D734F54F87E2
                                                                                                                                                                                                        Function 73D61600 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 138 73d61600-73d6160b PR_Malloc
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Malloc.NSPR4(00000010), ref: 73D61602
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089746641.0000000073D61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089713807.0000000073D60000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089786161.0000000073D63000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Malloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2696272793-0
                                                                                                                                                                                                        • Opcode ID: c0c160fa306702a4a648916c1de766ae2f5c23ba4702ca8e9c9567ada1ebca94
                                                                                                                                                                                                        • Instruction ID: 85eca5f180f186d960c0c65d004394531e75653546da4dbcdebabd93c7ee2c82
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0c160fa306702a4a648916c1de766ae2f5c23ba4702ca8e9c9567ada1ebca94
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB9022BA00000083EB002B20280E30030003B00B00FC00030C08E080E0C2C2003C802F

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 73D9C440 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                        • Opcode ID: 25954f850df89dc454ff8abfe9e41ea6f3e0c6974853c5b3bb495822778016ac
                                                                                                                                                                                                        • Instruction ID: 4564912bca9a8eedbcd460572c442e8eee04b83f71b13e28d98560d811a509e1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25954f850df89dc454ff8abfe9e41ea6f3e0c6974853c5b3bb495822778016ac
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CE19DB16083418BF715CF24C89076AB3F9FF84714F14492DE9CAA7290E778D9458F5A
                                                                                                                                                                                                        Function 73D8E4C0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 385networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: htons
                                                                                                                                                                                                        • String ID: gfff$gfff$gfff$gfff
                                                                                                                                                                                                        • API String ID: 4207154920-2178600047
                                                                                                                                                                                                        • Opcode ID: 2151270fa2d1ff58068e8feb3a2aae9c7344801af48b702a94e62904c90b2be5
                                                                                                                                                                                                        • Instruction ID: 311a5fb81c1e2986eee86f3295f592b8067034efd8431f931738af9aec5491f9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2151270fa2d1ff58068e8feb3a2aae9c7344801af48b702a94e62904c90b2be5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1C15A51B082874BD315492D89407EA6BE7ABD9560F0C4B3AE8C2DF7C1E71EEC4687A1
                                                                                                                                                                                                        Function 73D99860 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(?,?,?,00000000), ref: 73D9995C
                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 73D9996A
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorFileFindFirstLast
                                                                                                                                                                                                        • String ID: UUUU$\*.*
                                                                                                                                                                                                        • API String ID: 873889042-3193473139
                                                                                                                                                                                                        • Opcode ID: 5a464daa37b9b15ea459f30f7ad579899d1e7e5d2993a7da300c146f88a76b25
                                                                                                                                                                                                        • Instruction ID: 7564acf8a3bdebce3b93713b243522081cc34d9e92f568bbaac11e14368433cf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a464daa37b9b15ea459f30f7ad579899d1e7e5d2993a7da300c146f88a76b25
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 734158724083409FEB21DF28D8407DA77FEEF44320F580A29C4EEA7280D73190098B96
                                                                                                                                                                                                        Function 73D843D0 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 196COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 167 73d843d0-73d843fd call 73d96680 call 73d8c180 172 73d8462d-73d8463b call 73d9d18a 167->172 173 73d84403-73d84406 167->173 173->172 174 73d8440c-73d8441a 173->174 176 73d84420-73d84426 174->176 176->176 178 73d84428-73d84437 176->178 179 73d8443d-73d84444 178->179 180 73d845b3-73d845d2 call 73d842c0 call 73d8c180 178->180 182 73d84450-73d84490 179->182 190 73d8461c-73d84625 180->190 191 73d845d4-73d845d7 180->191 187 73d845aa 182->187 188 73d84496-73d844a7 182->188 189 73d845ae-73d845b2 187->189 194 73d844a9-73d844b2 188->194 195 73d844b7-73d844c8 188->195 189->180 199 73d8462a-73d8462c 190->199 191->190 193 73d845d9-73d845e4 call 73d84310 191->193 193->199 202 73d845e6-73d845f8 call 73d84ef0 193->202 198 73d84579-73d8459a 194->198 203 73d844ca-73d844d7 195->203 204 73d844e6-73d844f7 195->204 198->189 209 73d8459c-73d845a2 198->209 199->172 202->199 212 73d845fa-73d8461b OutputDebugStringA call 73d84f50 call 73d9d18a 202->212 203->198 207 73d844dd-73d844e1 203->207 214 73d844f9-73d84503 204->214 215 73d84505-73d84516 204->215 207->198 209->182 210 73d845a8 209->210 210->189 217 73d84575 214->217 221 73d84518-73d84522 215->221 222 73d84524-73d84542 215->222 217->198 221->217 224 73d84571 222->224 225 73d84544-73d84546 222->225 224->217 226 73d84548-73d8454f 225->226 227 73d84551-73d8455f 225->227 228 73d84561-73d84566 226->228 227->228 231 73d8456a-73d8456e 227->231 228->225 230 73d84568 228->230 230->224 231->224
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(00000000), ref: 73D845FB
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DebugOutputString
                                                                                                                                                                                                        • String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$NSPR_LOG_MODULES$Unable to create nspr log file '%s'$all$append$bufsize$sync$timestamp
                                                                                                                                                                                                        • API String ID: 1166629820-4000297177
                                                                                                                                                                                                        • Opcode ID: 717844442540c154e08f04ac919340656eda8fc7608ec4a628f2cb00496471ba
                                                                                                                                                                                                        • Instruction ID: 944348e85c397ae840e0820864e3df3f4c99496d0d3e89991e888aeec578ff04
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 717844442540c154e08f04ac919340656eda8fc7608ec4a628f2cb00496471ba
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A15191B29093219FD700DF64D8447CB77F8EB84765F044929EC95B7241EB38F5098BA6
                                                                                                                                                                                                        Function 73D9B770 Relevance: 18.3, APIs: 12, Instructions: 277sleepnetworkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 232 73d9b770-73d9b79f call 73d98d40 235 73d9b7a5-73d9b7ba 232->235 236 73d9baf4-73d9bb00 call 73d8c2d0 232->236 237 73d9b989-73d9b9ad 235->237 238 73d9b7c0-73d9b7c7 235->238 246 73d9bb03 236->246 240 73d9b9b0-73d9b9b7 237->240 241 73d9b7d0-73d9b7e5 call 73d8d1a0 238->241 244 73d9b9b9-73d9b9bd 240->244 245 73d9b9c1-73d9b9cb 240->245 251 73d9b7f7-73d9b80a call 73d8d240 call 73d8d100 241->251 252 73d9b7e7-73d9b7f5 241->252 244->245 248 73d9b9db-73d9b9de 245->248 249 73d9b9cd-73d9b9d4 245->249 250 73d9bb05-73d9bb1d call 73d9d18a 246->250 253 73d9ba0c-73d9ba19 248->253 254 73d9b9e0-73d9b9e1 248->254 249->248 256 73d9b80e-73d9b815 251->256 252->256 261 73d9ba1a-73d9ba25 select 253->261 258 73d9b9fc-73d9ba0a 254->258 259 73d9b9e3-73d9b9e4 254->259 262 73d9b81f-73d9b829 256->262 263 73d9b817-73d9b81b 256->263 258->261 265 73d9ba27-73d9ba2a 259->265 266 73d9b9e6-73d9b9fa 259->266 261->265 267 73d9b839-73d9b843 262->267 268 73d9b82b-73d9b832 262->268 263->262 270 73d9ba30-73d9ba32 265->270 271 73d9b976-73d9b984 WSAGetLastError call 73d9c180 265->271 266->261 272 73d9b871-73d9b87e 267->272 273 73d9b845-73d9b846 267->273 268->267 275 73d9ba62-73d9ba6d 270->275 276 73d9ba34-73d9ba37 270->276 271->246 280 73d9b87f-73d9b88d select 272->280 281 73d9b848-73d9b849 273->281 282 73d9b861-73d9b86f 273->282 278 73d9ba6f-73d9ba71 275->278 279 73d9ba73-73d9ba75 275->279 276->275 283 73d9ba39-73d9ba4d Sleep __WSAFDIsSet 276->283 278->279 287 73d9bad9-73d9baf2 call 73d8c2d0 278->287 279->240 288 73d9ba7b 279->288 290 73d9b88f-73d9b892 280->290 289 73d9b84b-73d9b85f 281->289 281->290 282->280 285 73d9ba4f-73d9ba5c __WSAFDIsSet 283->285 286 73d9ba87-73d9baac getsockopt 283->286 291 73d9ba5e 285->291 292 73d9ba80-73d9ba85 285->292 293 73d9b942-73d9b948 286->293 294 73d9bab2-73d9bac3 WSAGetLastError call 73d9bb90 286->294 287->246 288->246 289->280 290->271 295 73d9b898-73d9b89a 290->295 291->275 292->250 298 73d9b94e-73d9b95a call 73d9bba0 293->298 299 73d9bac5-73d9bad7 call 73d8c2d0 293->299 294->250 301 73d9b89c-73d9b89f 295->301 302 73d9b8ce-73d9b8dd 295->302 298->250 299->250 301->302 303 73d9b8a1-73d9b8b9 Sleep __WSAFDIsSet 301->303 304 73d9b8df-73d9b8e1 302->304 305 73d9b8e7-73d9b8e9 302->305 309 73d9b8bb-73d9b8c8 __WSAFDIsSet 303->309 310 73d9b917-73d9b93c getsockopt 303->310 304->287 304->305 305->246 311 73d9b8ef-73d9b8f1 305->311 309->292 309->302 310->293 310->294 314 73d9b95f-73d9b971 call 73d8c2d0 311->314 315 73d9b8f3-73d9b90e call 73d8d1c0 call 73d8d240 311->315 314->246 315->314 322 73d9b910-73d9b912 315->322 322->241
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 73D98D40: TlsGetValue.KERNEL32(73D96FA6,00000000,73D9D0CE), ref: 73D98D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D9B881
                                                                                                                                                                                                        • Sleep.KERNEL32(00000000,00000000,00000000,?,00000000,00000005), ref: 73D9B8A3
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D9B8B2
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D9B8C1
                                                                                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001007,00000004,?), ref: 73D9B934
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D9BA1C
                                                                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 73D9BA3B
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D9BA46
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D9BA55
                                                                                                                                                                                                        • WSAGetLastError.WS2_32 ref: 73D9BAB2
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Sleepselect$ErrorLastValuegetsockopt
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2789319419-0
                                                                                                                                                                                                        • Opcode ID: f4b5eb4b9baa25f097ab6bd0248080d06f34dfff89507b1e2aed69196f79b401
                                                                                                                                                                                                        • Instruction ID: 1acb7d89ac9b102a79fea11f204628bb7aaf5f0ecbdd566b14c25cc1448a53d0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4b5eb4b9baa25f097ab6bd0248080d06f34dfff89507b1e2aed69196f79b401
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7391F4B2508305ABF311DE50C884BAB76EDFB88B34F150A29F9D6F71C0E774D904866A
                                                                                                                                                                                                        Function 73D876C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 73D876F0
                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(?), ref: 73D87706
                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 73D8771F
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D87729
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 73D87764
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D87770
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D877E0
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D877F0
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$ByteCharModuleMultiWide$FileHandleName
                                                                                                                                                                                                        • String ID: error %d
                                                                                                                                                                                                        • API String ID: 782665465-2147592115
                                                                                                                                                                                                        • Opcode ID: 9666b1e0d489cef33dd3aa835fde173797bf74ebe9d773de21503805337f32c4
                                                                                                                                                                                                        • Instruction ID: e379795378794a71abd17029c7eb3e01ebeeb618481ec76ef971d810d55a3a15
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9666b1e0d489cef33dd3aa835fde173797bf74ebe9d773de21503805337f32c4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 994199B37053006BF720EBB5DC49FEB779CEB84721F940519B65AF61C0EB74A40886A6
                                                                                                                                                                                                        Function 73D98A80 Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 357 73d98a80-73d98a89 358 73d98a8b-73d98a9d call 73d8c2d0 357->358 359 73d98a9e-73d98aaf call 73d88120 357->359 364 73d98ac8-73d98ad3 InitializeSecurityDescriptor 359->364 365 73d98ab1-73d98ac7 GetLastError call 73d9bbf0 359->365 367 73d98ad9-73d98aea SetSecurityDescriptorOwner 364->367 368 73d98c04-73d98c1e GetLastError call 73d9bbf0 call 73d88110 364->368 367->368 371 73d98af0-73d98b01 SetSecurityDescriptorGroup 367->371 379 73d98c29-73d98c30 368->379 380 73d98c20-73d98c26 call 73d88110 368->380 371->368 372 73d98b07-73d98b3b GetLengthSid * 3 call 73d88120 371->372 372->368 378 73d98b41-73d98b4d InitializeAcl 372->378 378->368 381 73d98b53-73d98b63 378->381 380->379 383 73d98b65 381->383 384 73d98b67-73d98b69 381->384 383->384 386 73d98b6b 384->386 387 73d98b6e-73d98b71 384->387 386->387 388 73d98b73 387->388 389 73d98b76-73d98b7e 387->389 388->389 390 73d98b80-73d98b8e 389->390 391 73d98b96-73d98b9b 389->391 390->368 399 73d98b90 390->399 392 73d98b9d 391->392 393 73d98b9f-73d98ba2 391->393 392->393 394 73d98ba4 393->394 395 73d98ba7-73d98baa 393->395 394->395 397 73d98bac 395->397 398 73d98baf-73d98bb1 395->398 397->398 400 73d98bc3-73d98bc8 398->400 401 73d98bb3-73d98bc1 398->401 399->391 402 73d98bca 400->402 403 73d98bcc-73d98bcf 400->403 401->368 401->400 402->403 405 73d98bd1 403->405 406 73d98bd4-73d98bd7 403->406 405->406 407 73d98bd9 406->407 408 73d98bdc-73d98bde 406->408 407->408 409 73d98be0-73d98bf2 AddAccessAllowedAce 408->409 410 73d98bf4-73d98c02 SetSecurityDescriptorDacl 408->410 409->368 409->410 410->368 411 73d98c31-73d98c43 410->411
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                                                                                        • Opcode ID: 0c783dd2d8d3cf631d3bee938349aa2f01bc769efbc3947f7467300259a13c86
                                                                                                                                                                                                        • Instruction ID: 052436e914153a49b2882da2bf3174a8fa13a8b5dda093640433a859f9f59d60
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c783dd2d8d3cf631d3bee938349aa2f01bc769efbc3947f7467300259a13c86
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16419BB36012016EFB52AA26ED45FA77BFCEF80F75F180528F95BA21D1DB25D400C628
                                                                                                                                                                                                        Function 73D71FB0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_GetError.NSPR4 ref: 73D71FB5
                                                                                                                                                                                                        • PR_GetOSError.NSPR4 ref: 73D71FBD
                                                                                                                                                                                                        • PR_ErrorToName.NSPR4(00000000), ref: 73D71FC6
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?,%s: ,?), ref: 73D71FEC
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?, (%d)OUT OF RANGE, oserror = %d,00000000,00000000), ref: 73D72001
                                                                                                                                                                                                        • PR_fprintf.NSPR4(?,%s(%d), oserror = %d,00000000,00000000,00000000), ref: 73D72013
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089851555.0000000073D71000.00000020.00000001.01000000.00000012.sdmp, Offset: 73D70000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089818318.0000000073D70000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089889708.0000000073D73000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d70000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorR_fprintf$Name
                                                                                                                                                                                                        • String ID: (%d)OUT OF RANGE, oserror = %d$%s(%d), oserror = %d$%s:
                                                                                                                                                                                                        • API String ID: 4154372385-1619349177
                                                                                                                                                                                                        • Opcode ID: e27979446bf645bd32b4896bea2868d9a2771da7737a534173d767345a26b919
                                                                                                                                                                                                        • Instruction ID: 080902b4a211045d05b3d32c6a518eb3fde2cf787d1f0b522e5c4e7b82c95c35
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e27979446bf645bd32b4896bea2868d9a2771da7737a534173d767345a26b919
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FF0FCB37012156FD7007B3A9C48D6FBB5CEE813697150129FC8AA3202E7A3992949F7
                                                                                                                                                                                                        Function 73D83EB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 292COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D83FD4
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00040000), ref: 73D840B2
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(0000000A), ref: 73D840FD
                                                                                                                                                                                                        • RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D84169
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(?,?,?,?,?,?,00000000,00000000,00040000,?), ref: 73D8419C
                                                                                                                                                                                                        • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00040000,?), ref: 73D841EC
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • %ld[%p]: , xrefs: 73D83F58
                                                                                                                                                                                                        • %04d-%02d-%02d %02d:%02d:%02d.%06d UTC - , xrefs: 73D83F1E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DebugOutputString$CriticalEnterSection
                                                                                                                                                                                                        • String ID: %04d-%02d-%02d %02d:%02d:%02d.%06d UTC - $%ld[%p]:
                                                                                                                                                                                                        • API String ID: 2660680679-2800039365
                                                                                                                                                                                                        • Opcode ID: d407d1992362a1cf2cb46f9ff225d4633f3b2580f39f19ce11e21bc44c7132b3
                                                                                                                                                                                                        • Instruction ID: 9bbc2df628f2c219df1ed156a9f62a5104c22c3453ad635552e90dfd46ef5276
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d407d1992362a1cf2cb46f9ff225d4633f3b2580f39f19ce11e21bc44c7132b3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1A1F2735093409FD301EB79CD48BAA7BF9EB45710F640518F48AA7281D775E904CBAA
                                                                                                                                                                                                        Function 73D98190 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 254COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: D$NSPR_INHERIT_FDS=
                                                                                                                                                                                                        • API String ID: 0-1748084516
                                                                                                                                                                                                        • Opcode ID: ed354492c8bebd626c93d2bef9299afcd2f4038cb808e2b70287e7fc6d36b09b
                                                                                                                                                                                                        • Instruction ID: b417600503a62b5fce729c1120b3bd5bf0ae71a3ce0c9f57ec87364c56a63ffc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed354492c8bebd626c93d2bef9299afcd2f4038cb808e2b70287e7fc6d36b09b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F391A5B59043059FE710DF64D840B5BB7E8FF44F25F140928F95AA7281E774E908CBAA
                                                                                                                                                                                                        Function 73D97FE0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetVersionExA.KERNEL32(00000094), ref: 73D9801D
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D98027
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastVersion
                                                                                                                                                                                                        • String ID: %d.%d$Windows_95$Windows_98$Windows_NT$Windows_Unknown
                                                                                                                                                                                                        • API String ID: 305913169-3588704869
                                                                                                                                                                                                        • Opcode ID: 5cfcfaa0d9623add7a615fc44201481a0750cbe2f8ec8f1cce28771842230c96
                                                                                                                                                                                                        • Instruction ID: 01c8cd4e121fde57d0b5ae1ba2a57511a7e9e6f83a0b83e5e0f0c2775fc2dafe
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5cfcfaa0d9623add7a615fc44201481a0750cbe2f8ec8f1cce28771842230c96
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD31B572A04300AFF730A774DD06B9F73E5EF95620F954819E54EB2281EB3994188B9B
                                                                                                                                                                                                        Function 73D9CD08 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateFileMappingA.KERNEL32(000000FF,?,00000004,00000000), ref: 73D9CD7C
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000004,00000000), ref: 73D9CDB9
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000004,00000000), ref: 73D9CDCF
                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 73D9CE0B
                                                                                                                                                                                                          • Part of subcall function 73D83EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D83FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • PR_OpenSharedMemory: Request exclusive & already exists, xrefs: 73D9CDE9
                                                                                                                                                                                                        • PR_OpenSharedMemory: CreateFileMapping() failed: %s, xrefs: 73D9CDAC
                                                                                                                                                                                                        • PR_OpenSharedMemory: CreateFileMapping() success: %s, handle: %d, xrefs: 73D9CE4A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$CloseCreateCriticalEnterFileHandleMappingSection
                                                                                                                                                                                                        • String ID: PR_OpenSharedMemory: CreateFileMapping() failed: %s$PR_OpenSharedMemory: CreateFileMapping() success: %s, handle: %d$PR_OpenSharedMemory: Request exclusive & already exists
                                                                                                                                                                                                        • API String ID: 510033722-2926580257
                                                                                                                                                                                                        • Opcode ID: e2f117cb67ccf8e1af522ad9c4a01ddb310091b6fe65140f852033a2518a259c
                                                                                                                                                                                                        • Instruction ID: a86b49ccd99d152117d03ce03b8b89b10bbf0adf431f2940a43a6340246050f0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2f117cb67ccf8e1af522ad9c4a01ddb310091b6fe65140f852033a2518a259c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A34116B69053409FF312AF60DC05B467BA4FF41225F180929E8C6B7152E7399558CF6B
                                                                                                                                                                                                        Function 73D88270 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002), ref: 73D9D037
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000), ref: 73D9D041
                                                                                                                                                                                                        • DuplicateHandle.KERNEL32(00000000), ref: 73D9D048
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D9D052
                                                                                                                                                                                                          • Part of subcall function 73D83EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D83FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _md_OpenAnonFileMap(): DuplicateHandle(): failed, xrefs: 73D9D071
                                                                                                                                                                                                        • _md_OpenAnonFileMap(): PR_CreateFileMap(): failed, xrefs: 73D9D01B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CurrentProcess$CriticalDuplicateEnterErrorHandleLastSection
                                                                                                                                                                                                        • String ID: _md_OpenAnonFileMap(): DuplicateHandle(): failed$_md_OpenAnonFileMap(): PR_CreateFileMap(): failed
                                                                                                                                                                                                        • API String ID: 472606604-3740453005
                                                                                                                                                                                                        • Opcode ID: 14549f827e45bf1f48e78e601a98a19504d5230d4a0dad7fa3a2681098ee89bd
                                                                                                                                                                                                        • Instruction ID: a9ed89fdc126e178bedc79631806af99d160bd296e3c4cda497942e178d37d35
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14549f827e45bf1f48e78e601a98a19504d5230d4a0dad7fa3a2681098ee89bd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F112973201300ABE701ABA5EC08B8A7B7AEB80312F154524F51DB2190E735E4698766
                                                                                                                                                                                                        Function 73D96E60 Relevance: 12.1, APIs: 8, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • TlsGetValue.KERNEL32(00000001,73D98D5A,00000000,00000001,00000000,00000000), ref: 73D96E6D
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000,00000000,00000000), ref: 73D96E86
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 73D96E90
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 73D96EB7
                                                                                                                                                                                                        • RtlDeleteCriticalSection.NTDLL(00000040), ref: 73D96F1C
                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000), ref: 73D96F39
                                                                                                                                                                                                        • TlsGetValue.KERNEL32 ref: 73D96F41
                                                                                                                                                                                                        • TlsGetValue.KERNEL32 ref: 73D96F77
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Value$CriticalDeleteSection
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1707600571-0
                                                                                                                                                                                                        • Opcode ID: 69eb281aa7e42be69e6d85af731cacc886ff35c2ed9358389d57faeee34327f2
                                                                                                                                                                                                        • Instruction ID: 27e2b576359860704b5e99a51b3658ab505022762bce7906c80efceac944623c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69eb281aa7e42be69e6d85af731cacc886ff35c2ed9358389d57faeee34327f2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC31C3B35043049FF711AF65ED01F8A7FB9FB00665F184635E90BA11A0DB32D818CB9A
                                                                                                                                                                                                        Function 73D9C260 Relevance: 10.6, APIs: 7, Instructions: 122COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateSemaphoreA.KERNEL32(00000000,?,7FFFFFFF,?), ref: 73D9C2E5
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,73D9588D,?,?,?,?), ref: 73D9C306
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateErrorLastSemaphore
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 778173943-0
                                                                                                                                                                                                        • Opcode ID: 44d1b44ca695a20e6bfeb5c5a94c57f653268d32e0172e2a922298ecb0dacd4b
                                                                                                                                                                                                        • Instruction ID: 64754e51176149639025e1977a22e9e13abcc4afb0d443415d03313563c5be11
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44d1b44ca695a20e6bfeb5c5a94c57f653268d32e0172e2a922298ecb0dacd4b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C631CAB69043015BF7017B69AC05B9F7798EFC4A25F440939F9C9B1151F739C21886AB
                                                                                                                                                                                                        Function 73D72050 Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE89D,?), ref: 73D7205F
                                                                                                                                                                                                        • PR_Calloc.NSPR4(00000001,00000014), ref: 73D72071
                                                                                                                                                                                                        • PR_SetError.NSPR4(FFFFE890,00000000), ref: 73D72086
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089851555.0000000073D71000.00000020.00000001.01000000.00000012.sdmp, Offset: 73D70000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089818318.0000000073D70000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089889708.0000000073D73000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d70000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Error$Calloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4207371845-0
                                                                                                                                                                                                        • Opcode ID: 4ee710c406d68c563b3a38235d9f74ff9860090f35995ebe63ba0d21b34089f1
                                                                                                                                                                                                        • Instruction ID: c890b4523ba39bb4ebfb5ca55d15fe98b880de00d75d6aaacf92da44bfa45d23
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ee710c406d68c563b3a38235d9f74ff9860090f35995ebe63ba0d21b34089f1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB2184B6600751AFD320DF6AD848747BBF4FB84726F20452DE59EC2280D3759068CBE5
                                                                                                                                                                                                        Function 73D9B540 Relevance: 10.6, APIs: 7, Instructions: 65networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • socket.WS2_32(?,?), ref: 73D9B558
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000000,73D830B2), ref: 73D9B564
                                                                                                                                                                                                        • ioctlsocket.WS2_32(00000000,8004667E,?), ref: 73D9B584
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,00000001,00000000,73D830B2), ref: 73D9B58D
                                                                                                                                                                                                        • closesocket.WS2_32(00000000), ref: 73D9B5A1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$closesocketioctlsocketsocket
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3997934912-0
                                                                                                                                                                                                        • Opcode ID: 06c203cebe9db9a7248c56aecd851c61bcf894512912f6fdc7caeca2a6bffe5e
                                                                                                                                                                                                        • Instruction ID: 3610a73994a4ca054635e94a0549f18dd0af9d8b826b903cdd057bc95bb2fddf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06c203cebe9db9a7248c56aecd851c61bcf894512912f6fdc7caeca2a6bffe5e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7110472408302BBF711EA14DC04FAF7AA9DF81768F404938F895B11E0E778864CC6AB
                                                                                                                                                                                                        Function 73D9B150 Relevance: 9.3, APIs: 6, Instructions: 260networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • sendto.WS2_32(?,?,?,00000000,?,?), ref: 73D9B1A9
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,00000000,?,?), ref: 73D9B1B7
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,?), ref: 73D9B289
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,00000005), ref: 73D9B340
                                                                                                                                                                                                        • sendto.WS2_32(?,?,?,00000000,?,?), ref: 73D9B393
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,00000000,?,00000000,00000005,?,?), ref: 73D9B413
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastselectsendto
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 963654331-0
                                                                                                                                                                                                        • Opcode ID: a08f7c9ef890c8ce0f61a32fcd73209a821b96d7b450e547b7d07c1e758b345e
                                                                                                                                                                                                        • Instruction ID: 6b01ba7acefd4c0d73d0a8025d4a2f3095f674150ec72b95706e40b60925987d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a08f7c9ef890c8ce0f61a32fcd73209a821b96d7b450e547b7d07c1e758b345e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6291F472A083009FF710DF28D895B9EB7E5EF88734F154A2DE85AA72D0D73495048BA6
                                                                                                                                                                                                        Function 73D9ADF0 Relevance: 9.3, APIs: 6, Instructions: 252networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • send.WS2_32(?,?,?,00000000), ref: 73D9AE3C
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,00000000), ref: 73D9AE50
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,?), ref: 73D9AF1C
                                                                                                                                                                                                        • select.WS2_32(00000000,00000000,?,00000000,00000005), ref: 73D9AFD0
                                                                                                                                                                                                        • send.WS2_32(?,?,?,00000000), ref: 73D9B01C
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,00000000,?,00000000,00000005), ref: 73D9B098
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastselectsend
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 948727196-0
                                                                                                                                                                                                        • Opcode ID: da22457f0d147641bb8653f866a4251bdc2a8c11dfbb8ebb5037c5be5a76fb3a
                                                                                                                                                                                                        • Instruction ID: 72cd6b198188d8b65d6ca1a7ec539a1450b9ce30b9d6535cd7f70d5c8ea7cd9a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: da22457f0d147641bb8653f866a4251bdc2a8c11dfbb8ebb5037c5be5a76fb3a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D681D472A083005BF320DF28D895B5EB7E5EF85774F150A1DF89AB72C0D73499048BA6
                                                                                                                                                                                                        Function 73D9AB40 Relevance: 9.2, APIs: 6, Instructions: 185networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • recvfrom.WS2_32(?,?,?,00000000,?,?), ref: 73D9AB97
                                                                                                                                                                                                        • WSAGetLastError.WS2_32 ref: 73D9ABB0
                                                                                                                                                                                                          • Part of subcall function 73D98D40: TlsGetValue.KERNEL32(73D96FA6,00000000,73D9D0CE), ref: 73D98D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D9AC79
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D9AD25
                                                                                                                                                                                                        • recvfrom.WS2_32(?,?,?,00000000,?,?), ref: 73D9AD74
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D9ADA1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastrecvfromselect$Value
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3722555639-0
                                                                                                                                                                                                        • Opcode ID: 5a7b49d84c87890f42e0c9f19f337305e3fe107095b2c41cf56652a664529505
                                                                                                                                                                                                        • Instruction ID: 9769bdb43bc9653918e76a9ce66e33fab4932b572cfd04ef88eeeffe124c6ffc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a7b49d84c87890f42e0c9f19f337305e3fe107095b2c41cf56652a664529505
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A461B1725083409BF3219F68D844B9FB6E9EF88735F140A1DF9DAB72D0E73499048B5A
                                                                                                                                                                                                        Function 73D9A890 Relevance: 9.2, APIs: 6, Instructions: 182networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • recv.WS2_32(?,?,?,?), ref: 73D9A8E3
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?), ref: 73D9A900
                                                                                                                                                                                                          • Part of subcall function 73D98D40: TlsGetValue.KERNEL32(73D96FA6,00000000,73D9D0CE), ref: 73D98D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D9A9C9
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D9AA75
                                                                                                                                                                                                        • recv.WS2_32(?,?,?,?), ref: 73D9AAC1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: recvselect$ErrorLastValue
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2434979398-0
                                                                                                                                                                                                        • Opcode ID: 30a403648dc2b4e05442c2e3fc9350a3fe9cc75140c9e0db41e34c5b52c92fc2
                                                                                                                                                                                                        • Instruction ID: f248bb3a118e8082113e0a8f9b8fae1e40dc8beecd9ebfeab13b73718544607a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30a403648dc2b4e05442c2e3fc9350a3fe9cc75140c9e0db41e34c5b52c92fc2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5561C3735183459FF3219E64D944B9EB2EAFB84738F110A29E8DAB71C0D738D904875A
                                                                                                                                                                                                        Function 73D9A380 Relevance: 9.2, APIs: 6, Instructions: 177networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • accept.WS2_32(?,?,?), ref: 73D9A3C1
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?), ref: 73D9A3E0
                                                                                                                                                                                                          • Part of subcall function 73D98D40: TlsGetValue.KERNEL32(73D96FA6,00000000,73D9D0CE), ref: 73D98D46
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D9A4A9
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D9A555
                                                                                                                                                                                                        • accept.WS2_32(?,?,?), ref: 73D9A598
                                                                                                                                                                                                          • Part of subcall function 73D8D100: __aulldiv.LIBCMT ref: 73D8D13C
                                                                                                                                                                                                        • WSAGetLastError.WS2_32(00000000,?,00000000,00000000,00000005), ref: 73D9A5DE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLastacceptselect$Value__aulldiv
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1760304501-0
                                                                                                                                                                                                        • Opcode ID: c710ba59ad448332301fd5f409df556e67872a51416c8813828149b409fa40d4
                                                                                                                                                                                                        • Instruction ID: 2ab71a567c90b74713deaa410789053376684c6cf27a8d097cd12e18620a24df
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c710ba59ad448332301fd5f409df556e67872a51416c8813828149b409fa40d4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A6180B36083409BF361DF64984479EB7F9EB88764F140A1DE9CAB72C0D734D9448B9A
                                                                                                                                                                                                        Function 73D61290 Relevance: 9.1, APIs: 6, Instructions: 122COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089746641.0000000073D61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089713807.0000000073D60000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089786161.0000000073D63000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unlock$CallLockMallocOncememcpy
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2179638178-0
                                                                                                                                                                                                        • Opcode ID: 4373a86c365c2f620961d1db3ed0651ff9e321f108a5cb7d8c0903bd7e0a6b42
                                                                                                                                                                                                        • Instruction ID: f296254265b65e80d8650c1e80c918f6ea18faed0c22a63f861026e07d478691
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4373a86c365c2f620961d1db3ed0651ff9e321f108a5cb7d8c0903bd7e0a6b42
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1741B172A00715CFC711CF29C88164A77F1BF847A4718892CE8BBAB751D731E826CB94
                                                                                                                                                                                                        Function 73D87500 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: %s incr => %d (for %s)$error %d
                                                                                                                                                                                                        • API String ID: 0-2595713853
                                                                                                                                                                                                        • Opcode ID: ddfc7fd3c53e4c784137832e63bd3b472ea3571db034d8e384aaeeca260df230
                                                                                                                                                                                                        • Instruction ID: 9ff0468f6c8bb952a9602e60903d7cc55b233948bbc1e003ab155aea40c9a43e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ddfc7fd3c53e4c784137832e63bd3b472ea3571db034d8e384aaeeca260df230
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52414C726053019FD302DF29DC41BA6B7BAEF40724B5905A8EC8EB7251E722FD84C7A5
                                                                                                                                                                                                        Function 73D97EC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36filewindowCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MapViewOfFile.KERNEL32(?,?,?,?,73D828BB,?,73D848A5,?,?,?,?,73D828BB,?,?,00000000,00040000), ref: 73D97ED7
                                                                                                                                                                                                        • GetLastError.KERNEL32(00000400,?,00000000,00000000), ref: 73D97EEF
                                                                                                                                                                                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 73D97EFC
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D97F1E
                                                                                                                                                                                                          • Part of subcall function 73D83EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D83FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$CriticalEnterFileFormatMessageSectionView
                                                                                                                                                                                                        • String ID: md_memmap(): %s
                                                                                                                                                                                                        • API String ID: 96374981-2634054837
                                                                                                                                                                                                        • Opcode ID: cfa00d71171afac4369ccfba0d77204f314dafba2bdb00d75e0e0d53a57ba404
                                                                                                                                                                                                        • Instruction ID: ed76f92f588ef28c876f60fcc2b90ee33fd825d82f27bae2e0d5688f0062549f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfa00d71171afac4369ccfba0d77204f314dafba2bdb00d75e0e0d53a57ba404
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5BF0AF77505200BFE702AFC4DC08E9A7FADEB48762F154414FA4DB2120D3218828CBA6
                                                                                                                                                                                                        Function 73D610C0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089746641.0000000073D61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089713807.0000000073D60000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089786161.0000000073D63000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Unlock$CallLockMallocOnce
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3503020682-0
                                                                                                                                                                                                        • Opcode ID: 5c5fd3502517e79ea6b55dafdb9d2f702bb53089065ae283ee59607a12a6c1aa
                                                                                                                                                                                                        • Instruction ID: fb78d49d122d8fa8710b160f8ad2f3f1ad9aea8f15f624d4788f07582599ef98
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c5fd3502517e79ea6b55dafdb9d2f702bb53089065ae283ee59607a12a6c1aa
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2541B072601711CFDB15CF29D880606B7F2FF847A132846A9E8BADB355D731E869CB80
                                                                                                                                                                                                        Function 73D93C80 Relevance: 7.6, APIs: 5, Instructions: 73pipeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreatePipe.KERNEL32(0000000C,?,?,?), ref: 73D93CBF
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?), ref: 73D93CC9
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000), ref: 73D93D0A
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 73D93D10
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 73D93D43
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseHandle$CreateErrorLastPipe
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3219379475-0
                                                                                                                                                                                                        • Opcode ID: 37ef1e679ee0f334b96a28bd41d19c195922334c96c765d2154807a615967742
                                                                                                                                                                                                        • Instruction ID: 40be420a7b6dc07159ab108ff5bb6f006340502f10b68b6224c5d7b055d9fcf8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37ef1e679ee0f334b96a28bd41d19c195922334c96c765d2154807a615967742
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E21C471414301AFE701EF28CC04B8B7FE8FF44325F544A69F499A22B1E775D9588BA6
                                                                                                                                                                                                        Function 73DBD4F0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • -----BEGIN CERTIFICATE-----, xrefs: 73DBD712
                                                                                                                                                                                                        • -----END CERTIFICATE-----, xrefs: 73DBD792
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2090330499.0000000073DB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 73DB0000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090287179.0000000073DB0000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090486445.0000000073DC3000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090542610.0000000073DC9000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73db0000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: -----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----
                                                                                                                                                                                                        • API String ID: 0-2949388839
                                                                                                                                                                                                        • Opcode ID: 032b1b0b6f0307caf2439649a31021af6e3f4f1f3f3b05b8ef4851a10921f91f
                                                                                                                                                                                                        • Instruction ID: b45f00b733c37d01a603c56d8599fe9a5e7a9631f45bd21c7c2186f521d061fc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 032b1b0b6f0307caf2439649a31021af6e3f4f1f3f3b05b8ef4851a10921f91f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61918D679043901BE7025D2C4C607AAF7F59B81931F5C066AECD7A62C2F72DC50587E2
                                                                                                                                                                                                        Function 73D87D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(73DA13F8,?), ref: 73D87D94
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D87DA6
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D87DB6
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$AddressProc
                                                                                                                                                                                                        • String ID: error %d
                                                                                                                                                                                                        • API String ID: 1975335638-2147592115
                                                                                                                                                                                                        • Opcode ID: 739d5c4edbe9dd7d238f37ffb45da33ac4ae708d36c78e66fb8ec96fa01d5ff2
                                                                                                                                                                                                        • Instruction ID: 55107f7ef53928b59c0b0727df2098cec6e20728e0f897ba3e5752fb052233bf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 739d5c4edbe9dd7d238f37ffb45da33ac4ae708d36c78e66fb8ec96fa01d5ff2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C331DB367042419BD701DF28DC51BFA77EADF84728F9C0459E84AFB251E721E90986A1
                                                                                                                                                                                                        Function 73D992D0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetFileAttributesExA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,73D99291,?), ref: 73D99300
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,73D99291,?), ref: 73D9930A
                                                                                                                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 73D9937E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AttributesErrorFileLastUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2626227794-0
                                                                                                                                                                                                        • Opcode ID: dfda0662a9a0643b54a9e56e2bf80e70213f294950245ce0606b272d12b64cc4
                                                                                                                                                                                                        • Instruction ID: 48adc9841853026dafc9663fe7d9c8e2b1f02c67b01ea444139f2d95161f8d0c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dfda0662a9a0643b54a9e56e2bf80e70213f294950245ce0606b272d12b64cc4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C317CB2A047009FE324DF3AC951B5BB7E5EB58714F404A1DE48AE72C0E734E9448BA6
                                                                                                                                                                                                        Function 73D8DFE1 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: htons
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4207154920-0
                                                                                                                                                                                                        • Opcode ID: dc563207216cefeda509b02812e8f444c8228557d4f1e663d5dba718e38f37a7
                                                                                                                                                                                                        • Instruction ID: 8c67e4250cb590532323ad797453e64aaf168636f052d26a8f47d368a7bad980
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc563207216cefeda509b02812e8f444c8228557d4f1e663d5dba718e38f37a7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 26313A765047019FD360DF29E50078ABBF1FB88720F108A2EE49ED3790E334A955CB99
                                                                                                                                                                                                        Function 73D99FC0 Relevance: 6.1, APIs: 4, Instructions: 85synchronizationCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 73D98D40: TlsGetValue.KERNEL32(73D96FA6,00000000,73D9D0CE), ref: 73D98D46
                                                                                                                                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 73D9A036
                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 73D9A043
                                                                                                                                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 73D9A04C
                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 73D9A0DF
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalObjectSectionSingleWait$EnterLeaveValue
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2955843271-0
                                                                                                                                                                                                        • Opcode ID: 6bd32ea6dab0810ec2df5ebb9397e885939c3664a6d920ede147cfdc8eb0b24c
                                                                                                                                                                                                        • Instruction ID: 61c80e515f9147a9561a69ae294d55400cce338c4288a771e9ec9b5eca1bd83a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6bd32ea6dab0810ec2df5ebb9397e885939c3664a6d920ede147cfdc8eb0b24c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D431B372601301DFE7018F24C4C87D5FBB9FB44365F198266E89DAB289C771A8A4CBE4
                                                                                                                                                                                                        Function 73D9B7C9 Relevance: 6.1, APIs: 4, Instructions: 83sleepCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 73D9B881
                                                                                                                                                                                                        • Sleep.KERNEL32(00000000,00000000,00000000,?,00000000,00000005), ref: 73D9B8A3
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D9B8B2
                                                                                                                                                                                                        • __WSAFDIsSet.WS2_32(?,00000000), ref: 73D9B8C1
                                                                                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001007,00000004,?), ref: 73D9B934
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Sleepgetsockoptselect
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2100861750-0
                                                                                                                                                                                                        • Opcode ID: c618a2e82cc80c74a9de1662387d267cd5e874cd4e893a5bbc02a79eaf1eed3d
                                                                                                                                                                                                        • Instruction ID: e096164b1efb390b326f70266ebd97f9164aa9ffdab973217d084f36ca0d75f0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c618a2e82cc80c74a9de1662387d267cd5e874cd4e893a5bbc02a79eaf1eed3d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7921B4B24043059BF3129E14C9447AB72FEEF88B74F060929E98BF7280D770D945875A
                                                                                                                                                                                                        Function 73D61000 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PR_Free.NSPR4(?,?,?,?,73D6150D,?,?,00000000), ref: 73D61025
                                                                                                                                                                                                        • PR_CallOnce.NSPR4(73D64068,73D610A0,?,?,?,73D6150D,?,?,00000000), ref: 73D61051
                                                                                                                                                                                                        • PR_Lock.NSPR4 ref: 73D61065
                                                                                                                                                                                                        • PR_Unlock.NSPR4 ref: 73D61087
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089746641.0000000073D61000.00000020.00000001.01000000.0000000F.sdmp, Offset: 73D60000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089713807.0000000073D60000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089786161.0000000073D63000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d60000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CallFreeLockOnceUnlock
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 684047005-0
                                                                                                                                                                                                        • Opcode ID: 8069ca7f209ff11f648d1e246671383f6c091443f7bd605bf61d9b243065d221
                                                                                                                                                                                                        • Instruction ID: fc7778c7ee114a89eccc22049bf78657b091d7acc1be95f151462caa94fccdba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8069ca7f209ff11f648d1e246671383f6c091443f7bd605bf61d9b243065d221
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01113073504620DFDB10DF1AD885705B7F4FF852B1F24056AE4AAAB251D371A438CBA6
                                                                                                                                                                                                        Function 73D8CF80 Relevance: 6.0, APIs: 4, Instructions: 32synchronizationCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 73D98559
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D98564
                                                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 73D98588
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 73D98594
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2321548817-0
                                                                                                                                                                                                        • Opcode ID: 02568773c82378cfdf1845929655c682ef79c6698c46d2b39ced3d6314f3bc46
                                                                                                                                                                                                        • Instruction ID: 3acf045ac8d9cf5d82f9fcdb899444438202597707c51de61c84633b413439a7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02568773c82378cfdf1845929655c682ef79c6698c46d2b39ced3d6314f3bc46
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44F0A777809110ABF7413F75EC087D937A8EF00B327244714F5AAF21F4DB219958C6A9
                                                                                                                                                                                                        Function 73D87B00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: %s decr => %d$Unloaded library %s
                                                                                                                                                                                                        • API String ID: 0-2877805755
                                                                                                                                                                                                        • Opcode ID: e634c46930f8536ec75fd7d06cac8e8b6fdac53702bd395cf9a86e20ac6d04db
                                                                                                                                                                                                        • Instruction ID: 6e5884ab8655507175b1a6684b855e431e9182051ca16a38c386bb4270f583ee
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e634c46930f8536ec75fd7d06cac8e8b6fdac53702bd395cf9a86e20ac6d04db
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D31F97AB012015BE7126F69ED00B893BE7EF40721B184138E85EB72A1E721F884C6A5
                                                                                                                                                                                                        Function 73D881E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • MapViewOfFile.KERNEL32(?,00000002,00000000,00000000,?), ref: 73D9CAB1
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D9CABD
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _MD_AttachSharedMemory: MapViewOfFile() failed. OSerror: %d, xrefs: 73D9CADE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorFileLastView
                                                                                                                                                                                                        • String ID: _MD_AttachSharedMemory: MapViewOfFile() failed. OSerror: %d
                                                                                                                                                                                                        • API String ID: 311336725-2908509698
                                                                                                                                                                                                        • Opcode ID: 676ffc9586473ee630540cd8dbd1918d4e8d0dc41e3425b912d5552b0a036625
                                                                                                                                                                                                        • Instruction ID: 55b97ec9163db29c7717c9625c8a1d67e257dc8a7db665bb7b41629af30722a5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 676ffc9586473ee630540cd8dbd1918d4e8d0dc41e3425b912d5552b0a036625
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6F0E272601200ABF312A7A5DC09B463A5AEF40715F168054FF8ABB2D1D725AC148BED
                                                                                                                                                                                                        Function 73D995C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LockFile.KERNEL32(?,00000000,00000000,00000000,000000FF,73D93F10,?), ref: 73D995CC
                                                                                                                                                                                                        • GetLastError.KERNEL32(?), ref: 73D995D7
                                                                                                                                                                                                          • Part of subcall function 73D83EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D83FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _PR_MD_LOCKFILE() failed. Error: %d, xrefs: 73D995F4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalEnterErrorFileLastLockSection
                                                                                                                                                                                                        • String ID: _PR_MD_LOCKFILE() failed. Error: %d
                                                                                                                                                                                                        • API String ID: 1358300211-3062140089
                                                                                                                                                                                                        • Opcode ID: 3b21423a001ffa9c898b585471422a4d88eb4649e59e43899e4a230ef7a09542
                                                                                                                                                                                                        • Instruction ID: d06635bdca53239caea1c88f3db0db7e7105b3180b52505c4b2c6751020fdd6a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b21423a001ffa9c898b585471422a4d88eb4649e59e43899e4a230ef7a09542
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1E0D83260521057F7112B2A9C4AF463A99DF02735F254310F82DF51D0E7259C5885AE
                                                                                                                                                                                                        Function 73D88220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • UnmapViewOfFile.KERNEL32(?), ref: 73D9CB74
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 73D9CB7E
                                                                                                                                                                                                          • Part of subcall function 73D83EB0: RtlEnterCriticalSection.NTDLL(-0000001C), ref: 73D83FD4
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • _MD_DetachSharedMemory: UnmapViewOfFile() failed. OSerror: %d, xrefs: 73D9CB9E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalEnterErrorFileLastSectionUnmapView
                                                                                                                                                                                                        • String ID: _MD_DetachSharedMemory: UnmapViewOfFile() failed. OSerror: %d
                                                                                                                                                                                                        • API String ID: 2920721728-1850521274
                                                                                                                                                                                                        • Opcode ID: c85e2b03310c5f88e54b667d949c8911342e1c0a9afff0aa2095bf828fa9dd7d
                                                                                                                                                                                                        • Instruction ID: 9f35d3651e54b30c2360aca9554d003d6d4f2ac6f5f287e37e2d4a845a44ecbf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c85e2b03310c5f88e54b667d949c8911342e1c0a9afff0aa2095bf828fa9dd7d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56E0CD726012405BF7022BB5DC09B463BD8DF0022E7594610F89EF30A1F738D8648A7E
                                                                                                                                                                                                        Function 73D99ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(Function_00019ED0), ref: 73D99ED5
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 73D99EE1
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • InitializeCriticalSectionEx, xrefs: 73D99EDB
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000025.00000002.2089960577.0000000073D81000.00000020.00000001.01000000.00000010.sdmp, Offset: 73D80000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000025.00000002.2089922701.0000000073D80000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073D9F000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090146215.0000000073DA2000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000025.00000002.2090245343.0000000073DA7000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_37_2_73d80000_certutil.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                        • String ID: InitializeCriticalSectionEx
                                                                                                                                                                                                        • API String ID: 1646373207-3084827643
                                                                                                                                                                                                        • Opcode ID: 69fccac94007e44d775d6edcd93cf9c77a3782f9142bbacd876caf45fda470a6
                                                                                                                                                                                                        • Instruction ID: e65128457dbd00c0c0e6ab367fb9984043d013ea8da5313b76abf1e750449df8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69fccac94007e44d775d6edcd93cf9c77a3782f9142bbacd876caf45fda470a6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6EB048B3A021049F8A442BB6CA08A683A68A6842023204241EE59B5109EB34894C8A5A